Practical Issues with TLS Client Certificate Authentication

Transcription

1 Practical Issues with TLS Client Certificate Authentication Arnis Parsovs February 26, / 10

2 Motivation 2 / 10

3 Motivation Problems with password authentication: 2 / 10

4 Motivation Problems with password authentication: Weak passwords 2 / 10

5 Motivation Problems with password authentication: Weak passwords Password reuse 2 / 10

6 Motivation Problems with password authentication: Weak passwords Password reuse Insecure storage on server side 2 / 10

7 Motivation Problems with password authentication: Weak passwords Password reuse Insecure storage on server side Phishing attacks 2 / 10

8 Motivation Problems with password authentication: Weak passwords Password reuse Insecure storage on server side Phishing attacks MITM attacks 2 / 10

9 Motivation Problems with password authentication: Weak passwords Password reuse Insecure storage on server side Phishing attacks MITM attacks Solution to these problems public key authentication 2 / 10

10 Motivation Problems with password authentication: Weak passwords Password reuse Insecure storage on server side Phishing attacks MITM attacks Solution to these problems public key authentication in a form of TLS Client Certificate Authentication (CCA) 2 / 10

11 Motivation Problems with password authentication: Weak passwords Password reuse Insecure storage on server side Phishing attacks MITM attacks Solution to these problems public key authentication in a form of TLS Client Certificate Authentication (CCA) Supported by all major browsers! 2 / 10

12 TLS Client Certificate Authentication 3 / 10

13 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server 4 / 10

14 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server 4 / 10

15 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server Private key has much better entropy than passwords 4 / 10

16 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server Private key has much better entropy than passwords The same certificate can be reused for different services 4 / 10

17 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server Private key has much better entropy than passwords The same certificate can be reused for different services No risk if server-side public key database leaks 4 / 10

18 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server Private key has much better entropy than passwords The same certificate can be reused for different services No risk if server-side public key database leaks Private key cannot be phished by traditional phishing attacks 4 / 10

19 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server Private key has much better entropy than passwords The same certificate can be reused for different services No risk if server-side public key database leaks Private key cannot be phished by traditional phishing attacks MITM attacker (e.g., rogue CA) cannot impersonate the user 4 / 10

20 TLS Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify [ChangeCipherSpec], Finished [ChangeCipherSpec], Finished Application Data Server Private key has much better entropy than passwords The same certificate can be reused for different services No risk if server-side public key database leaks Private key cannot be phished by traditional phishing attacks MITM attacker (e.g., rogue CA) cannot impersonate the user No trusted third party required (!) 4 / 10

21 Estonia and TLS CCA 5 / 10

22 Estonia and TLS CCA 5 / 10

23 Estonia and TLS CCA Mandatory ID cards since / 10

24 Estonia and TLS CCA Mandatory ID cards since 2002 Two RSA key pairs: For Qualified Digital Signatures For TLS Client Certificate Authentication 5 / 10

25 Estonia and TLS CCA Mandatory ID cards since 2002 Two RSA key pairs: For Qualified Digital Signatures For TLS Client Certificate Authentication TLS CCA supported by all major e-service providers 5 / 10

26 Estonia and TLS CCA Mandatory ID cards since 2002 Two RSA key pairs: For Qualified Digital Signatures For TLS Client Certificate Authentication TLS CCA supported by all major e-service providers Authentication to e-health services only by TLS CCA 5 / 10

27 Estonia and TLS CCA Mandatory ID cards since 2002 Two RSA key pairs: For Qualified Digital Signatures For TLS Client Certificate Authentication TLS CCA supported by all major e-service providers Authentication to e-health services only by TLS CCA Required to authorize online banking transactions >200 EUR 5 / 10

28 Research Objectives 6 / 10

29 Research Objectives What are the practical issues concerning TLS CCA deployment? 6 / 10

30 Research Objectives What are the practical issues concerning TLS CCA deployment? What should be improved on client and server side? 6 / 10

31 Research Objectives What are the practical issues concerning TLS CCA deployment? What should be improved on client and server side? On server side: Apache mod ssl (branch 2.2) 6 / 10

32 Research Objectives What are the practical issues concerning TLS CCA deployment? What should be improved on client and server side? On server side: Apache mod ssl (branch 2.2) On client side: Mozilla Firefox (version 19.0) Google Chrome (version 25.0) Microsoft Internet Explorer (version 9.0) 6 / 10

33 Research Objectives What are the practical issues concerning TLS CCA deployment? What should be improved on client and server side? On server side: Apache mod ssl (branch 2.2) On client side: Mozilla Firefox (version 19.0) Google Chrome (version 25.0) Microsoft Internet Explorer (version 9.0) Perform study on Estonian TLS CCA deployments. 6 / 10

34 Measurement Study of Estonian TLS CCA Deployments 7 / 10

35 Measurement Study of Estonian TLS CCA Deployments Analyzed 87 public service providers: 7 / 10

36 Measurement Study of Estonian TLS CCA Deployments Analyzed 87 public service providers: Software Hosts Percent Apache mod ssl % MS IIS % BigIP 4 4.6% Oracle AS 3 3.4% Tomcat 1 1.1% Nginx 1 1.1% Jetty 1 1.1% unknown 2 2.3% 7 / 10

37 Measurement Study of Estonian TLS CCA Deployments Analyzed 87 public service providers: Software Hosts Percent Apache mod ssl % MS IIS % BigIP 4 4.6% Oracle AS 3 3.4% Tomcat 1 1.1% Nginx 1 1.1% Jetty 1 1.1% unknown 2 2.3% 33% request certificate unencrypted 7 / 10

38 Measurement Study of Estonian TLS CCA Deployments Analyzed 87 public service providers: Software Hosts Percent Apache mod ssl % MS IIS % BigIP 4 4.6% Oracle AS 3 3.4% Tomcat 1 1.1% Nginx 1 1.1% Jetty 1 1.1% unknown 2 2.3% 33% request certificate unencrypted 93% do not bind session to certificate 7 / 10

39 Measurement Study of Estonian TLS CCA Deployments Analyzed 87 public service providers: Software Hosts Percent Apache mod ssl % MS IIS % BigIP 4 4.6% Oracle AS 3 3.4% Tomcat 1 1.1% Nginx 1 1.1% Jetty 1 1.1% unknown 2 2.3% 33% request certificate unencrypted 93% do not bind session to certificate 47% have superfluous CAs in trust store 7 / 10

40 Measurement Study of Estonian TLS CCA Deployments Analyzed 87 public service providers: Software Hosts Percent Apache mod ssl % MS IIS % BigIP 4 4.6% Oracle AS 3 3.4% Tomcat 1 1.1% Nginx 1 1.1% Jetty 1 1.1% unknown 2 2.3% 33% request certificate unencrypted 93% do not bind session to certificate 47% have superfluous CAs in trust store 45% have larger chain verification depth than needed 7 / 10

41 Measurement Study of Estonian TLS CCA Deployments Analyzed 87 public service providers: Software Hosts Percent Apache mod ssl % MS IIS % BigIP 4 4.6% Oracle AS 3 3.4% Tomcat 1 1.1% Nginx 1 1.1% Jetty 1 1.1% unknown 2 2.3% 33% request certificate unencrypted 93% do not bind session to certificate 47% have superfluous CAs in trust store 45% have larger chain verification depth than needed 18% do not perform revocation checks 7 / 10

42 Things to Improve on Client Side (Browsers) 8 / 10

43 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy 8 / 10

44 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection 8 / 10

45 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection JavaScript API in order to: 8 / 10

46 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection JavaScript API in order to: clear TLS session cache (reauthenticate) 8 / 10

47 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection JavaScript API in order to: clear TLS session cache (reauthenticate) clear client certificate selection (logout) 8 / 10

48 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection JavaScript API in order to: clear TLS session cache (reauthenticate) clear client certificate selection (logout) Prevent deadlock in case CCA fails (Firefox, IE) 8 / 10

49 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection JavaScript API in order to: clear TLS session cache (reauthenticate) clear client certificate selection (logout) Prevent deadlock in case CCA fails (Firefox, IE) Show warning if CCA requested on initial negotiation 8 / 10

50 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection JavaScript API in order to: clear TLS session cache (reauthenticate) clear client certificate selection (logout) Prevent deadlock in case CCA fails (Firefox, IE) Show warning if CCA requested on initial negotiation Client certificate selection window improvement: 8 / 10

51 Things to Improve on Client Side (Browsers) Opt-in for strong locked same-origin policy To isolate content served by MITM and legitimate connection JavaScript API in order to: clear TLS session cache (reauthenticate) clear client certificate selection (logout) Prevent deadlock in case CCA fails (Firefox, IE) Show warning if CCA requested on initial negotiation Client certificate selection window improvement: Remember last client certificate choice 8 / 10

52 Things to Improve on Server Side (Apache mod ssl) 9 / 10

53 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions 9 / 10

54 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions Important when CCA is performed by a smart card 9 / 10

55 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions Important when CCA is performed by a smart card Implement flexible SSLVerifyClient require any 9 / 10

56 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions Important when CCA is performed by a smart card Implement flexible SSLVerifyClient require any To perform certificate verification at the application level 9 / 10

57 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions Important when CCA is performed by a smart card Implement flexible SSLVerifyClient require any To perform certificate verification at the application level To provide personalized error messages in case of CCA failure 9 / 10

58 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions Important when CCA is performed by a smart card Implement flexible SSLVerifyClient require any To perform certificate verification at the application level To provide personalized error messages in case of CCA failure Provide to environment variable the timestamp of CCA 9 / 10

59 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions Important when CCA is performed by a smart card Implement flexible SSLVerifyClient require any To perform certificate verification at the application level To provide personalized error messages in case of CCA failure Provide to environment variable the timestamp of CCA To enforce the freshness of the proof of possession 9 / 10

60 Things to Improve on Server Side (Apache mod ssl) Provide session resumption support for CCA sessions Important when CCA is performed by a smart card Implement flexible SSLVerifyClient require any To perform certificate verification at the application level To provide personalized error messages in case of CCA failure Provide to environment variable the timestamp of CCA To enforce the freshness of the proof of possession Provide better CCA audit trail 9 / 10

61 Conclusion 10 / 10

62 Conclusion Solution for secure user identity is already here 10 / 10

63 Conclusion Solution for secure user identity is already here Estonian example shows that it works in practice 10 / 10

64 Conclusion Solution for secure user identity is already here Estonian example shows that it works in practice There are things to improve on client and server side 10 / 10

65 Conclusion Solution for secure user identity is already here Estonian example shows that it works in practice There are things to improve on client and server side Improvements do not require changes to the protocol 10 / 10

66 Conclusion Solution for secure user identity is already here Estonian example shows that it works in practice There are things to improve on client and server side Improvements do not require changes to the protocol Thank you! 10 / 10