Was ist neu bei TLS 1.3?

Transcription

1 Was ist neu bei TLS 1.3? TSLv1.3 21nd Century Internet Transmission Security Dr. Erwin Hoffmann November, 20th, / 23

2 Todays Agenda History of TLS and it s cryptographic concepts Working model of former TLS implementations Changes done for TLS 1.3 OpenSSL under OmniOSce Installation of fehqlibs + ucspi-ssl Protocol analysis using WireShark and testssl TLS 1.3. has been published in RFC 8446 after years of discussion in the IETF in August Since September 2018 OpenSSL is available supporting TLSv1.3. My software ucspi-ssl-0.10 is OpenSSL enabled and used here together with OmniOS (r15028). 2 / 23

3 Internet security protocols Transport Layer Security (TLS) aka Secure Socket Layer (SSL) is a fundamental IT security concept and in particular used for Web encryption (HTTPS) and encrypted transmission (ESMTPS/ESMTP+StartTLS). Message TLS- Records HTTPS IPsec packets MAC frames TLS Bit transmission SSH TCP/UDP IP MAC PHY protected messages protected TLS end-to-end transmission TLS Tunnel Security Association via IPsec MACsec Router function WPA(2) Dark Fiber Wireless MAC PHY SSH User (authenticated) HTTPS Application Instance TLS (authenticated) TCP/UDP Instance (stateful) IP Instance (stateless, stateful) Figure: IT security protocols in a layered view The cryptographic framework and routines are also used for SSH, PGP, IPSec and WiFi (WPA2), though in a different context. 3 / 23

4 Development of cryptographic standards and protocols Message TLS- Records HTTPS IPsec packets MAC frames TLS Bit transmission SSH TCP/UDP IP MAC PHY protected messages protected TLS end-to-end transmission TLS Tunnel Security Association via IPsec MACsec Router function WPA(2) Dark Fiber Wireless MAC PHY SSH User (authenticated) HTTPS Application Instance TLS (authenticated) TCP/UDP Instance (stateful) IP Instance (stateless, stateful) Figure: Cryptographic standards since the Unix epoch 4 / 23

5 The #4 Crypto Primitives Certificate Authority (CA) h: Hash Primitive MD5, SHA, Poly1305 CA s private key σ: Signature Primitive DSA, DSS Symmetrical crypto Asymmetrical crypto Internet!: Key Exchange Primitive RSA, Diffie-Hellman CA s public key Bob s public key C : En/Decryption Primitive Alice Block + Stream ciphers (AES, ChaCha) Bob Bob s private key Figure: The #4 crypto primitives 5 / 23

6 TLS Use Cases SMTP- Client (MUA) TCP SYN a) Internet TLS Handshake 220 hostname EMSTP EHLO client 250-hostname 250-PIPELINING 250-8BITMIME 250-SIZE AUTH LOGIN SMTPS- Server TCPListen Port 465 TLS Tunnel SMTP- Client (MUA) TCP SYN b) Internet 220 hostname EMSTP EHLO client 250-hostname 250-PIPELINING 250-8BITMIME 250-SIZE AUTH LOGIN 250 STARTTLS STARTTLS 220 Ready to start TLS TLS Handshake TLS Tunnel SMTP- Server TCPListen Port 25 Figure: Immediate TLS and delayed TLS encryption; aka STARTTLS / STLS Immediate/mandatory TLS encryption: HTTPS, SMTPS, LDAPS, IMAPS, POP3S, QMTPS Delayed/optional TLS encryption: ESMTP + StartTLS, POP3 + STLS 6 / 23

7 TLS Networking Layering T L S Handshake Heartbeat Change CipherSpec Alert (Type 24) (Type 22) (Type 20) (Type 21) Record Layer Protocol HTTP, SMTP, LDAP,... Application protocol (Type 23) User Datagram Protocol (UDP) Transmission Control Protocol (TCP) Internet Protocol (IP) Figure: TLS protocol layering TLS is located on top of TCP/UDP (layer 4+5) and below the application layer (7). It provides a mini layering. The Record layer can be considered as transmission layer: The workhorse. Handshake, Change Cipher and Alert messages are mostly un-encrypted (using a NULL-encryption). The Application messages are encrypted and protected. The Heartbeat Protocol was added in 2011 with only rough evaluation (and fatal consequences). 7 / 23

8 The #4 Crypto Primitives within TLS < 1.3: The Handshake TLS < 1.3 provides three different ways of handshakes: RSA handshake using static RSA public and private keys (the RSA public key is part of the X.509 certificate). Diffie-Hellman using the Discrete Logarithm algorithm (DHE) while providing ephemeral keys. The DH parameters can be configured and changed frequently. Diffie-Hellman with Elliptic Curve Cryptography (ECDHE). Curves and the DH params (as starting point for the calculation are typically fixed by the implementation. (TLS-)Client TCP segment TCP segment Internet TCP Three Way Handshake ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished secured TLS connection Figure: TLS handshake message exchange (TLS-)Server TCP segment = IP packet TCP segment 8 / 23

9 The #4 Crypto Primitives within TLS < 1.3: Encryption TLS as the successor of SSL supports different sets of symmetrical de/encryption: Block ciphers: 64 bit key-length DES 128 bit key-length 3DES 128, 256, 384, 512 bit key-length AES The Block Ciphers are often used in streaming mode : CBC, OFB, GCM. Stream ciphers: bit key-length RC4 ChaCha20 (with TLS 1.2) Steps: Input data Encryptionalgorithm/ implementation Operations mode Feistel Chiffres (DES, 3DES, Lucifer, TEA) Block Cipher fixed key Rijndael Chiffres (AES, Blowfish, Serpant, Idea) Symmetrical En-/De-cryption common secret key Cipher stream (RC4, A5/1+A5/2) Stream Cipher ECB CBC CFB GCM S-Box LFSR NFSR + IV pseudo-random key Cipher stream generation One Time Pad Figure: TLS symmetric encryption 9 / 23

10 The #4 Crypto Primitives within TLS < 1.3: Integrity Check TLS (1.2) uses a keyword authenticated hash to provide authenticity and integrity for the data: Message Authentication Code (keyed MAC). Since TLS employs both stream and block encryption, hashing is done per TLS record prior of encryption: MAC-then-encrypt (MtE). RL Header Protocol = encrypted (optional) Message(s) Length (2 Byte) Version (2 Byte) Protocol (1 Byte) Hashvalue MAC MP PL Padding (optional) Data of the application protocol Segment Compression MAC calculation Encryption 20: ChangeCipherSpec Protocol Record Layer 21: Alert Protocol Header 22: Handshake Protocol 23: Application Protocol (HTTP,.) 24: Heartbeat Protocol (DTLS; maybe also TLS) Figure: Checking the integrity of transmitted data Segment Record Layer Frame Segment Auth key MAC Session key (+IV) 10 / 23

11 The #4 Crypto Primitives within TLS < 1.3: Cipher Suites Crypto primitives used for the current session are provided as Cipher Suite. The TLS protocol enumerates the sets fo crypto primitives. KeyExchange+Authentication Encryption+Operational mode MAC TLS _ RSA DH/DHE ECDH Anonymous DH RSA RSA (Export) DSA DSS ECDSA Figure: TLS Cipher Suites [RFC 3268] Null *RC4(_40/_56/_128) DES(_40/_56) 3DES_EDE(3) AES(_128/_256/_512) RC2(_128/_256) SEED CAMILLA ECB(default) CBC GCM *) Stream cipher; all others: Block ciphers Null MD5 SHA(1) SHA256 SHA384 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 }; CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 }; CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 }; CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 }; CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A }; 11 / 23

12 TLS < 1.3: Keymaterial and Keys TLS uses a variety of hash functions to derive deterministically the PreMasterSecret and the Session keys from the input material. Hash functions are used to diffuse the input and thus pseudo random sequences with significant entropy are the result. This is called a Pseudo Random Function PRF. 'A' PreMasterSecret ServerRandom ClientRandom SHA Hash Hash Hash Hash Hash Hash } } } PreMasterSecret Hash MD5 MAC Secret Session Secret IV 'BB' PreMasterSecret ServerRandom ClientRandom SHA Client Server Client Server Client Server 'CCC' PreMasterSecret ServerRandom ClientRandom PreMasterSecret Hash SHA MD5 Initialisation vector IV: a) For Stream ciphers - or - b) for CBC/GCM operation mode PreMasterSecret Hash MD5 Figure: Generating the PreMaster and the Session secrets Hash Hash Hash 3 * 128 bit Given RSA encryption, the only random number is the client s random provided during the handshake. For Diffie-Hellman, client and server deliver a random value. 12 / 23

13 TLS < 1.3: Weaknesses Backward compatibility with ancient SSL 2.0 (older versions): Renegotiation. Export ciphers suited for NSA de-cryption. Control messages (Alerts, CCS) transmitted in clear text. No particular state model, thus attacker can interrogate at any point. Some Cipher suites (in particular with CBC) are weak or even bad. Very little control on negotiated Cipher suites (mod_ssl). Handshake is slow. Session Resumption with persistent data. Handshake can be broken up (MitM). MtE delivery valuable information for a hacker given its data decryption. TLS (as successor of SSL) is broken by design; it is just working and deployed... everywhere. 13 / 23

14 TLS 1.3 Summary After years of discussion, the IETF released TLS 1.3 in RFC 8446 (and RFC The TLS 1.3 core is a complete redesign. Compatibility with older TLS version is provided supporting its skeleton behaviour and faking a TLS 1.2 handshake. As already used in previous TLS releases, TLS 1.3 uses the Hello Message to transport the new parameters. ECDHE key exchange is mandatory and the only one! TLS uses only a very restricted set of Cipher Suites. Those Ciphers Suites (apart from AES and GCM) are mainly based on Dan Bernstein s developments. TLS 1.3 protects the negotiated data as soon as it is possible during the handshake. Early Application Data can be transmitted in the handshake. The handshake in TLS 1.3 is much more efficient and using Session Resumption provides a 0RTT capability. Though trying to cope with older TLS versions, TLS 1.3 is a different beast. Some Middleboxes don t allow to let the TLS 1.3 traffic through, since it does not look like as expected. 14 / 23

15 TLS 1.3 Handshake The TLS 1.3 is much more efficient using an early encryption scheme. Key Exchange Authentication a) (TLS) Client Internet TCP Session established Message 1 ClientHello Version = 3.3, Random, Nonce, Cipher Suites, C = 0, Extensions: x304, ALPN ServerHello 2a Version = 3.3, Random, SessionID, Cipher Suite, C = 0, Extensions: x304, ADP Certificate Certificate Verify (signature TH) Finished (HKDF/Handshake) Verifies Certificate Generates Master & Session keys Message 3 Finished (HKDF/Handshake) TLS Connection Application key HKDF(shared secret, c/s app traffic,th) (TLS) Client Internet (TLS) Server TCP Session established Message 1 ClientHello Version = 3.3, Random, Nonce, Cipher Suites, C = 0, Extensions: x304, ALPN Generates Master & Session keys 2b 2c 2d b) Traffic key HKDF(shared secret, s/c hs traffic,th) 3a 3b 3c Certificate Certificate Verify (signature TH) Finished (HKDF/Handshake) TLS Connection (TLS) Server encrypted ServerHello 2a Version = 3.3, Random, SessionID, Cipher Suite, C = 0, Extensions: x304, ADP Certificate Request 2b Certificate 2c Certificate Verify (signature TH) 2d Finished (HKDF/Handshake) 2e encrypted Figure: TLS 1.3 Handshake; (a) without and (b) with Client Certificate Request; ALPN: Application Layer Protocol Notifications Only three messages are exchanged: Client Server The (unencrypted) Client Hello message. Server Client The Server Hello message: The first part including protocol artefacts in clear text; the further parts are encrypted with a provisional secret (Traffic Key) covering in particular the X.509 cert. Client Server The encrypted Finish message, telling that the Application Key is ready for use. 15 / 23

16 TLS 1.3 Cipher Suites KeyExchange+Authentication Encryption+Operational mode MAC TLS _ ECDHE secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), x25519(0x001d), x448(0x001e) Figure: TLS 1.3 Cipher Suites Null AES_128_GCM_SHA256 AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256 AES_128_CCM_SHA256 AES_128_CCM_8_SHA256 CipherSuite TLS_AES_128_GCM_SHA256 {0x13,0x01} CipherSuite TLS_AES_256_GCM_SHA384 {0x13,0x02} CipherSuite TLS_CHACHA20_POLY1305_SHA256 {0x13,0x03} CipherSuite TLS_AES_128_CCM_SHA256 {0x13,0x04} CipherSuite TLS_AES_128_CCM_8_SHA256 {0x13,0x05} SHA-256 SHA-384 Note: CCM = Cipher Block Chaining - Message Authentication Code (CBC-MAC) No particular Authentication method is indicated. Apart from PSK all Transcript Messages are authenticated requiring a valid server X.509 certificate. openssl ecparam -list_curves 16 / 23

17 TLS 1.3 Record Layer c) Length (2 Byte) Hashvalue Version (2 Byte) Content type (1 Byte) Content type Padding length (1 Byte) Message(s) Length (2 Byte) Version = x 303 Content type (1 Byte) Padding (optional) Zero Padding optional a) RL- Header encrypted (optional) b) Application data Message(s) MAC MP PL Segment Segment Segment Compression MACcalculation Encryption Record Layer Header Record Layer Frame HMAC d) Segment AEAD encryption Record Layer Header Application data Segment Record Layer Frame Figure: TLS 1.3 a) Record layer structure w and c) w/o MAC, b) Record with MAC, d) Record with AEAD Segment Secret Nonce Additional data 17 / 23

18 PSK 0 nonedeterministic 0 HKDF-Extr. Early Secret Early Secret, derive, Derived Secret Early Secret, ext binder res binder, binder key (Label) TLS 1.3 Keys stateful key usage Early Secret, c e traffic, TSH(ClientHello) Client Early Traffic Secret Pre Shared Keys Early Secret, e exp master, TSH(ClientHello) Early Exporter Master Secret iterative key generation (EC) DHE Secret 0 HKDF-Extr. Handshake Secret Handshake Secret, derive, Derived Secret HKDF-Extr. Master Secret Key Generation Pipeline Handshake Secret, c hs traffic, TSH(HelloMessages) Client Traffic Handshake Secret Master Secret, c ap traffic, TSH(HelloMessages) Handshake/Key Exchange Handshake Secret, s hs traffic, TSH(HelloMessages) Server Traffic Handshake Secret Traffic En/Decryption Master Secret, s ap traffic, TSH(HelloMessages) PRF Exporter Master Secret, exp master, TSH(HelloMessags) Session Resumption Master Secret, res master, TSH(HelloMessages) Client Application Traffic Secret_0 Server Application Traffic Secret_0 Exporter Master Secret Resumption Master Secret Figure: TLS 1.3 Key generating procedure using HKDF 18 / 23

19 TLS 1.3 PSK & 0RTT and Grease Session Resumption is possible within TLS 1.3 provided, both client and server store the negotiated secret (persistently): Pre-shared Keys (PSK). The PSK secret is indicated in the Client Hello message providing a hash of the PSK and coupled with the identity of the client. In this case, a TLS session can literally succeed in one step, thus 0-RTT. However, this breaks Perfect Forward Secrecy (PFS) Grease: Generate Random Extensions And Sustain Extensibility can applied by client or server to test the counterparts TLS 1.3 capabilities indicating invalid Cipher Suites in the Hello message. (TLS) Client Message 1 3 Stores PSK-Label & Session keys Internet TCP Session established ClientHello Versions= 3.3, Random, Nonce, Cipher Suites, Compression = 0 Supported Vers: x304 Grease Supported Groups: x25519, secp256r1, Key Share Entry: Grease Key Share Entry: x25519 cd34bb1ac39. ServerHelloRetry Version = 3.3, Random, SessionID, Cipher Suite, Compression = 0 Supported Vers: Key Share Hello Retry Request: x25519 Finished (HKDF/Handshake) TLS Connection Extensions New Session Ticket Ticket Lifetime, Ticket Age Ticket Nonce, Ticket., Extensions (TLS) Server 2 matching k Figure: TLS 1.3 using Pre-shared Keys 19 / 23

20 TLS 1.3 1RTT Session establishment can be accelerated in case both client and server don t need to negotiate the Cipher, but rather provide a quick focus: 1-RTT. In this case, the client indicates to the server to know already the (otherwise transmitted) DH-Params and the chosen curve (for ECC) for a quick negotiation. However, the server may have changed its DH-Params, thus this procedure would not work out. Rather, in this case, the server sends a Hello Retry message telling the new DH- Params. This procedure obviously does not violate PFS, since only protocol artefacts are provided by the client. (TLS) Client 1a Message Internet TCP Session established ClientHello Versions= 3.3, Random, Nonce, Cipher Suites, Compression = 0 Key Share Entry: x25519 cd34bb1ac39. PSK Kex Exchange Modes: psk_dhe_ke PSK Identity: identity, obfuscated ticket age PSK Binder: HMACs Offered PSK: identity, binders 1b Early Data (23) ServerHelloRetry 2a Extensions Version = 3.3, Random, SessionID, Cipher Suite, Compression = 0 Supported Vers: Key Share Entry: x25519 Key Exchange: ef1bc93.. Application Data (23) 2b (TLS) Server Figure: TLS 1.3 using 1-RTT message exchange matching 20 / 23

21 Crypto Primitives TLS < 1.3 Hands on Bibliography Commercial spot AUTOREN anatol BADACH erwin HOFFMANN Technik der HEADLINE History IP-NETZE 4. Auflage INTERNET-KOMMUNIKATION IN THEORIE UND EINSATZ Inklusive: Kapitel zum Internet of Things Figure: Technik der IP-Netze (4th edition) 21 / 23

22 Implementation OpenSSL 1.1.0: Install OpenSSL on OmniOSce however without overwriting previous Libs. How to tell which OpenSSL is installed? fehqlibs + ucspi-ssl: Install fehqlibs (under /usr/local). Install ucspi-ssl using fehqlibs and OpenSSL How can you tell that OpenSSL is in use for a client/server? testssl: Install Dirk Wetter s ssltest from Test TLS 1.3. for some sites (including Google and fehcom). WireShark: Install WireShark (> 2.5). Record a TLS 1.3 connection setup and do an interpretation of the negotiation. 22 / 23

23 Bibliography RFC 8446 RFC / 23