Your Apps and Evolving Network Security Standards

Transcription

1 Session System Frameworks #WWDC17 Your Apps and Evolving Network Security Standards 701 Bailey Basile, Secure Transports Engineer Chris Wood, Secure Transports Engineer 2017 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.

2 BEAST FREAK CRIME POODLE Sweet32 SLOTH LogJam FLAME SHAttered Lucky13 Mis-issuance NOMORE Factoring BREACH DROWN 3HS

3 BEAST FREAK CRIME POODLE Sweet32 SLOTH LogJam FLAME SHAttered Lucky13 NOMORE Factoring BREACH DROWN Mis-issuance 3HS

4 Best practices

5 Best practices App Transport Security update

6 Best practices App Transport Security update Transport Layer Security

7 Best Practices

8 Best Practices

9 Best Practices No set and forget

10 Best Practices No set and forget Standards bodies, academic research, and industry best practices

11 Best Practices No set and forget Standards bodies, academic research, and industry best practices Update libraries

12 Best Practices No set and forget Standards bodies, academic research, and industry best practices Update libraries OS removes insecure options

13 Best Practices No set and forget Standards bodies, academic research, and industry best practices Update libraries OS removes insecure options ATS enforces best practices

14 Best Practices No set and forget Standards bodies, academic research, and industry best practices Update libraries OS removes insecure options ATS enforces best practices Worth the maintenance cost

15 Best Practices BEAST FREAK CRIME POODLE Sweet32 SLOTH NOMORE FLAME SHAttered Lucky13 LogJam Factoring BREACH DROWN Mis-issuance 3HS

16 Best Practices Encryption BEAST FREAK CRIME POODLE Sweet32 SLOTH NOMORE FLAME SHAttered Lucky13 LogJam Factoring BREACH DROWN Mis-issuance 3HS

17 Best Practices Encryption BEAST FREAK CRIME POODLE Cryptographic hashes Sweet32 SLOTH NOMORE FLAME SHAttered Lucky13 LogJam Factoring BREACH DROWN Mis-issuance 3HS

18 Best Practices Encryption BEAST FREAK CRIME POODLE Cryptographic hashes Sweet32 SLOTH NOMORE FLAME Public keys SHAttered Lucky13 LogJam Factoring BREACH DROWN Mis-issuance 3HS

19 Best Practices Encryption BEAST FREAK CRIME POODLE Cryptographic hashes Sweet32 SLOTH NOMORE FLAME Public keys SHAttered Lucky13 LogJam Factoring Protocols BREACH DROWN Mis-issuance 3HS

20 Best Practices Encryption BEAST FREAK CRIME POODLE Cryptographic hashes Sweet32 SLOTH NOMORE FLAME Public keys SHAttered Lucky13 LogJam Factoring Protocols Revocation BREACH DROWN Mis-issuance 3HS

21 Best Practices Encryption BEAST FREAK CRIME POODLE Cryptographic hashes Sweet32 SLOTH NOMORE FLAME Public keys SHAttered Lucky13 LogJam Factoring Protocols Revocation BREACH DROWN Mis-issuance 3HS

22 Encryption

23 Encryption RC4 3DES-CBC AES-CBC

24 Encryption RC4 3DES-CBC AES-CBC Future removal: RC4 and 3DES

25 Encryption RC4 3DES-CBC AES-GCM ChaCha20/Poly1305 AES-CBC Future removal: RC4 and 3DES

26 Cryptographic Hashes

27 Cryptographic Hashes MD5 SHA-1

28 Cryptographic Hashes MD5 SHA-1 New removal: SHA-1 signed certificates for TLS

29 Cryptographic Hashes MD5 SHA-2 Family SHA-1 New removal: SHA-1 signed certificates for TLS

30 Public Keys

31 Public Keys <1024-bit RSA

32 Public Keys <2048-bit RSA

33 Public Keys <2048-bit RSA New removal: <2048-bit RSA for TLS

34 Public Keys <2048-bit RSA 2048-bit RSA Elliptic Curves New removal: <2048-bit RSA for TLS

35 Protocols

36 Protocols SSLv3 TLS 1.0 TLS 1.1

37 Protocols SSLv3 TLS 1.2 TLS 1.0 TLS 1.1

38 Protocols SSLv3 TLS 1.2 TLS 1.0 TLS 1.1 New addition: TLS 1.3 (draft)

39 Revocation

40 Revocation No checking

41 Revocation No checking OCSP Stapling

42 Revocation Online Certificate Status Protocol Certificate Authority Server Client

43 Revocation Online Certificate Status Protocol Certificate Authority Server Client

44 Revocation Online Certificate Status Protocol Certificate Authority Server Client

45 Revocation Online Certificate Status Protocol Certificate Authority? Server Client

46 Revocation Online Certificate Status Protocol Certificate Authority? Server Client

47 Revocation Online Certificate Status Protocol

48 Revocation Online Certificate Status Protocol Additional network connection

49 Revocation Online Certificate Status Protocol Additional network connection Compromises user privacy

50 Revocation Online Certificate Status Protocol Additional network connection Compromises user privacy Requires app opt-in

51 Revocation OCSP Stapling Certificate Authority Server Client

52 Revocation OCSP Stapling Certificate Authority Server Client

53 Revocation OCSP Stapling Certificate Authority? Server Client

54 Revocation OCSP Stapling Certificate Authority? Server Client

55 Revocation OCSP Stapling Certificate Authority? Server Client

56 Revocation OCSP Stapling

57 Revocation OCSP Stapling Slow adoption

58 Revocation OCSP Stapling Slow adoption Does not protect against malicious servers

59 Revocation Enhancement Apple

60 Revocation Enhancement CT Log Apple

61 Revocation Enhancement Certificate Authority CT Log Certificate Authority Apple Certificate Authority

62 Revocation Enhancement Certificate Authority CT Log? Certificate Authority? Apple? Certificate Authority

63 Revocation Enhancement Certificate Authority CT Log Certificate Authority Apple Certificate Authority

64 Revocation Enhancement Certificate Authority CT Log Certificate Authority Apple Certificate Authority

65 Revocation Enhancement Certificate Authority CT Log Certificate Authority Apple Certificate Authority Client

66 Revocation Improvements

67 Revocation Improvements Reduced privacy compromise

68 Revocation Improvements Reduced privacy compromise Automatic updating

69 Revocation Improvements Reduced privacy compromise Automatic updating Faster connections

70 Evolving Standards

71 Evolving Standards Encryption RC4, CBC modes AES-GCM ChaCha20/Poly1305

72 Evolving Standards Encryption RC4, CBC modes AES-GCM ChaCha20/Poly1305 Hashes MD5, SHA-1 SHA-2 family

73 Evolving Standards Encryption RC4, CBC modes AES-GCM ChaCha20/Poly1305 Hashes MD5, SHA-1 SHA-2 family Public Keys <2048-bit RSA 2048-bit RSA Elliptic curves

74 Evolving Standards Encryption RC4, CBC modes AES-GCM ChaCha20/Poly1305 Hashes MD5, SHA-1 SHA-2 family Public Keys <2048-bit RSA 2048-bit RSA Elliptic curves Protocols SSLv3, TLS 1.0, TLS TLS 1.2+

75 Evolving Standards Encryption RC4, CBC modes AES-GCM ChaCha20/Poly1305 Hashes MD5, SHA-1 SHA-2 family Public Keys <2048-bit RSA 2048-bit RSA Elliptic curves Protocols SSLv3, TLS 1.0, TLS TLS 1.2+ Revocation No checking Certificate Transparency OCSP Stapling

76 TLS Trust Removals

77 Trust Removals

78 Trust Removals SHA-1 signed certificates for TLS

79 Trust Removals SHA-1 signed certificates for TLS Certificates using <2048-bit RSA for TLS

80 Trust Removals

81 Trust Removals Does not affect

82 Trust Removals Does not affect Root certificates

83 Trust Removals Does not affect Root certificates Enterprise-distributed certificates

84 Trust Removals Does not affect Root certificates Enterprise-distributed certificates User-installed certificates

85 Trust Removals Does not affect Root certificates Enterprise-distributed certificates User-installed certificates Client certificates

86 Trust Removals sha1-intermediate.badssl.com

87 Trust Removals sha1-intermediate.badssl.com

88 Trust Removals

89 Trust Removals InvalidCertChain (-9807) SSL errors with URLSession

90 Trust Removals InvalidCertChain (-9807) SSL errors with URLSession Servers to upgrade to new certificates

91 Trust Removals InvalidCertChain (-9807) SSL errors with URLSession Servers to upgrade to new certificates

92 What to Do Now?

93 What to Do Now? Check your implementations, libraries, and servers

94 What to Do Now? Check your implementations, libraries, and servers Server Developers

95 What to Do Now? Check your implementations, libraries, and servers Server Developers Replace any SHA-1 certificates or weak RSA keys

96 What to Do Now? Check your implementations, libraries, and servers Server Developers Replace any SHA-1 certificates or weak RSA keys Upgrade servers to TLS 1.2 and authenticated encryption ciphers

97 What to Do Now? Check your implementations, libraries, and servers Server Developers Replace any SHA-1 certificates or weak RSA keys Upgrade servers to TLS 1.2 and authenticated encryption ciphers Use OCSP Stapling

98 What to Do Now? Check your implementations, libraries, and servers Server Developers Replace any SHA-1 certificates or weak RSA keys Upgrade servers to TLS 1.2 and authenticated encryption ciphers Use OCSP Stapling Check that your certificates are in CT logs

99 What to Do Now? Check your implementations, libraries, and servers Server Developers Replace any SHA-1 certificates or weak RSA keys Upgrade servers to TLS 1.2 and authenticated encryption ciphers Use OCSP Stapling Check that your certificates are in CT logs App Developers

100 What to Do Now? Check your implementations, libraries, and servers Server Developers Replace any SHA-1 certificates or weak RSA keys Upgrade servers to TLS 1.2 and authenticated encryption ciphers Use OCSP Stapling Check that your certificates are in CT logs App Developers Avoid ATS exceptions

101 App Transport Security Update Chris Wood, Secure Transports Engineer

102 App Transport Security Current standards

103 App Transport Security Current standards From HTTP to HTTPS TLS 1.2 Strong cryptography AES and SHA-2 Forward Secrecy ECDHE

104 App Transport Security Current standards From HTTP to HTTPS TLS 1.2 Strong cryptography AES and SHA-2 Forward Secrecy ECDHE Exceptions per-domain, narrow

105 Exception Updates

106 Exception Updates Expansion beyond WebKit AVFoundation loads WebView requests Local network connections

107 Exception Updates Expansion beyond WebKit AVFoundation loads WebView requests Local network connections Certificate Transparency requirement

108 ATS-Compliant Services Practice what you preach APNs iwork FaceTime Spotlight Game Center iad Apple Services itunes icloud Services (Mail, CloudKit) Software Update

109 ATS on the Rise

110 ATS on the Rise ATS adoption is increasing

111 ATS on the Rise ATS adoption is increasing Still more work to be done

112 ATS on the Rise ATS adoption is increasing Still more work to be done Minimize or reduce exceptions

113 Transport Layer Security

114 SSL and TLS Lineage A long road

115 SSL and TLS Lineage A long road TLS

116 SSL and TLS Lineage A long road TLS 1.0 TLS

117 SSL and TLS Lineage A long road TLS 1.0 TLS 1.1 TLS

118 SSL and TLS Lineage A long road TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 (draft)

119 TLS 1.3 Best practice by design

120 TLS 1.3 Best practice by design Strong cryptography and Forward Secrecy by default Legacy options, ciphers, and key exchange algorithms removed

121 TLS 1.3 Best practice by design Strong cryptography and Forward Secrecy by default Legacy options, ciphers, and key exchange algorithms removed Overall simpler specification

122 TLS 1.3 Best practice by design Strong cryptography and Forward Secrecy by default Legacy options, ciphers, and key exchange algorithms removed Overall simpler specification Improved network efficiency

123 TLS 1.3 Overview Improved efficiency TLS 1.2 TLS 1.3 Client Server Client Server Time

124 TLS 1.3 Overview Improved efficiency TLS 1.2 TLS 1.3 Client Server Client Server SYN SYN SYN+ACK SYN+ACK ACK ACK Time

125 TLS 1.3 Overview Improved efficiency TLS 1.2 TLS 1.3 Client Server Client Server SYN SYN SYN+ACK SYN+ACK ACK ACK CH SH Time CH, KEX SH, KEX CH - Client Hello SH - Server Hello KEX - Key Share

126 TLS 1.3 Overview Improved efficiency TLS 1.2 TLS 1.3 Client Server Client Server SYN SYN SYN+ACK SYN+ACK ACK ACK CH SH KEX Time CH, KEX SH, KEX DATA CH - Client Hello SH - Server Hello KEX - Key Share KEX

127 TLS 1.3 Overview Improved efficiency TLS 1.2 TLS 1.3 Client Server Client Server SYN SYN SYN+ACK SYN+ACK ACK ACK CH SH KEX Time CH, KEX SH, KEX DATA CH - Client Hello SH - Server Hello KEX - Key Share KEX DATA

128 How to Enable TLS 1.3 Beta?

129 How to Enable TLS 1.3 Beta? It is not on by default

130 How to Enable TLS 1.3 Beta? It is not on by default You can install a profile on ios

131 How to Enable TLS 1.3 Beta? It is not on by default You can install a profile on ios You can enable system-wide TLS 1.3 on macos defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1

132 TLS 1.3 Outlook

133 TLS 1.3 Outlook IETF standardization ( )

134 TLS 1.3 Outlook IETF standardization ( ) Third-party collaboration

135 TLS 1.3 Outlook IETF standardization ( ) Third-party collaboration Enterprise preparation

136 Takeaways

137 Takeaways Implement best practices

138 Takeaways Implement best practices Avoid new and future algorithm removals

139 Takeaways Implement best practices Avoid new and future algorithm removals Continue upgrading to modern TLS configurations

140 Takeaways Implement best practices Avoid new and future algorithm removals Continue upgrading to modern TLS configurations Minimize or remove App Transport Security exceptions

141 Takeaways Implement best practices Avoid new and future algorithm removals Continue upgrading to modern TLS configurations Minimize or remove App Transport Security exceptions Try out TLS 1.3

142 More Information

143 Related Sessions Privacy and Your Apps Executive Ballroom Tuesday 11:20AM Advances in Networking, Part 1 Executive Ballroom Wednesday 3:10PM Advances in Networking, Part 2 Executive Ballroom Wednesday 4:10PM

144 Labs Security & Privacy Technology Lab D Tue 1:50PM-3:50PM Security & Privacy Technology Lab J Wed 1:00PM-3:30PM Networking Lab Technology Lab D Thu 9:00AM-11:00AM Networking Lab Technology Lab J Fri 1:50PM-3:50PM

145