Coming of Age: A Longitudinal Study of TLS Deployment

Similar documents
ON THE SECURITY OF TLS RENEGOTIATION

TLS1.2 IS DEAD BE READY FOR TLS1.3

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

MTAT Applied Cryptography

State of TLS usage current and future. Dave Thompson

Internet security and privacy

TLS 1.1 Security fixes and TLS extensions RFC4346

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

32c3. December 28, Nick goto fail;

CSCE 715: Network Systems Security

Overview of TLS v1.3 What s new, what s removed and what s changed?

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

SSL Visibility and Troubleshooting

SSL Report: ( )

Securely Deploying TLS 1.3. September 2017

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

CIS 5373 Systems Security

TLS 1.2 Protocol Execution Transcript

SSL Report: bourdiol.xyz ( )

SSL Report: printware.co.uk ( )

Transport Layer Security

Security Protocols and Infrastructures

Transport Layer Security

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

Transport Level Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Overview of TLS v1.3. What s new, what s removed and what s changed?

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Authenticated Encryption in TLS

Transport Layer Security

SSL Report: cartridgeworld.co.uk ( )

A messy state of the union:

Studying TLS Usage in Android Apps

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Chapter 4: Securing TCP connections

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

One Year of SSL Internet Measurement ACSAC 2012

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

Protecting TLS from Legacy Crypto

MTAT Applied Cryptography

concerto: A Methodology Towards Reproducible Analyses of TLS Datasets

SSL Report: sharplesgroup.com ( )

Cipher Suite Practices and Pitfalls:

SSL/TLS Security Assessment of e-vo.ru

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Secure Internet Communication

SSL/TLS Server Test of

Security Protocols and Infrastructures. Winter Term 2010/2011

Secure Socket Layer. Security Threat Classifications

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

TLS Security and Future

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

E-commerce security: SSL/TLS, SET and others. 4.1

Introduction to cryptology (GBIN8U16) Introduction

Securing IoT applications with Mbed TLS Hannes Tschofenig

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

Requirements from the. Functional Package for Transport Layer Security (TLS)

Auth. Key Exchange. Dan Boneh

Security Protocols and Infrastructures. Winter Term 2015/2016

Findings for

Cryptography (Overview)

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

WAP Security. Helsinki University of Technology S Security of Communication Protocols

TLS in the wild. An Internet-wide analysis of TLS-based protocols for electronic communication. Ralph Holz

The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1

The State of TLS in httpd 2.4. William A. Rowe Jr.

Was ist neu bei TLS 1.3?

BIG-IP System: SSL Administration. Version

Ecosystem at Large

Information Security CS 526

Your Apps and Evolving Network Security Standards

SSL/TLS. Pehr Söderman Natsak08/DD2495

SSL Server Rating Guide

FUJITSU Software BS2000 internet Services. Version 3.4A May Readme

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Practical Issues with TLS Client Certificate Authentication

SSL/TLS Server Test of grupoconsultorefe.com

Norbert Muehr (Siemens PLM GTAC EMEA)

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

IPSec Transform Set Configuration Mode Commands

TLS/sRTP Voice Recording AddPac Technology

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Defeating All Man-in-the-Middle Attacks

Introduction to Cryptography Lecture 11

SSL Accelerated Services. Feature Description

Cryptology complementary. Introduction

Nayanamana Samarasinghe and Mohammad Mannan. Concordia University, Montreal, Canada

Datapath. Encryption

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Understanding Traffic Decryption

IBM Education Assistance for z/os V2R1

Crypto meets Web Security: Certificates and SSL/TLS

Encryption. INST 346, Section 0201 April 3, 2018

Lecture for February 10, 2016

Transcription:

Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson, Narseo Vallina-Rodriguez, Juan Caballero

TLS The De Facto secure protocol q Originally designed for secure e- commerce over HTTP q Over 60% of web traffic is now encrypted using TLS q Hundreds of millions of people and devices every day

Full TLS Handshake Protocol Client Server ClientHello ServerHello, Cert, [ServerKeyExchange,] ServerHelloDone ClientKeyExchange, CCS, ClientFinished CCS, ServerFinished First flow containing application data: TLS is a 2-RTT 3 protocol! ClientData ServerData

TLS Handshake Protocol - Goals q Agree on the shared master secret that will be used to protect the session q Provides authentication of server (usually) and client (rarely) q Using public key cryptography supported by digital certificates q Protects negotiation of all cryptographic parameters. q SSL/TLS version number, encryption and hash algorithms, authentication and key establishment methods. q To prevent version rollback and cipher suite downgrade attacks.

TLS Attacks Crypto primitives Ciphersuite details Protocol framework Libraries Applications RSA, DSA, ECDSA Diffie-Hellman, ECDH HMAC MD5, SHA-1, SHA-2 DES, 3DES, RC4, AES Data structures Key derivation Encryption modes, IVs Padding Compression Alerts & errors Certification/revocation Negotiation Renegotiation Session resumption OpenSSL GnuTLS SChannel Java JSSE Web browsers: Chrome, Firefox, IE, Safari Web servers: Apache, IIS, Certificates Slide from Douglas Stebila

TLS Attacks Crypto primitives Lucky 13 Ciphersuite details Long-term signature key reuse Bleichenbacher RSA PKCSv1 Heartbleed Protocol framework Libraries Applications RSA, DSA, ECDSA Diffie-Hellman, ECDH HMAC MD5, SHA-1, SHA-2 DES, 3DES, RC4, AES Data structures Key derivation Encryption modes, IVs Padding Compression CRIME attack Rizzo & Duong Alerts & errors Certification/revocation Negotiation Renegotiation Session resumption Renegotiation Attack Ray & Dispensa OpenSSL GnuTLS SChannel Java JSSE Web browsers: Chrome, Firefox, IE, Safari Web servers: Apache, IIS, Certificates Mutliple RC4 attacks on TLS CA breaches Slide from Douglas Stebila

Contributions q Large scale longitudinal study on TLS ecosystem since 2012 using 319.3B TLS connections q Analyze trends and evolution of the TLS ecosystem both on the client and server side q Special focus on changes occurring in response to specific high-profile attacks q Create the largest database of TLS client fingerprints to-date to identify the evolution of client software on the Internet github.com/platonk/tls_fingerprints

Datasets q Metadata from 319.3B outgoing SSL/TLS connections q 6 years (Feb 2012 March 2018) ICSI SSL Notary q Universities and research institutions from North America q Collection using Bro Network Security Monitor (now Zeek) q Periodic Internet-wide TLS scans q ~3 years (Aug 2015 May 2018) q Scanning using mimicking a 2015 version of Chrome q Temporal view of publicly-reachable TLS servers

Road Map Intro TLS Fingerprints Vulnerability Analysis Ecosystem Improvements

Identifying Client Software Building TLS Fingerprints Cipher Suites Extensions Supported EC Supported EC Point Formats Each TLS fingerprint maps to a program/library and the version range that it covers q 200 cipher suites, 28 extensions, and 35 elliptic curves values q Build a groundtruth of 1,684 TLS fingerprints: q Browserstack service for browser and mobile devices q Compile TLS libraries Browsers Libraries Email Clients q Prior work Android SDK & Apps

Identifying Client Software Matching TLS Traffic q Apply TLS fingerprints to 191,9B (60%) of TLS connections after February 2014 69,874 unique TLS Fingerprints 1,670 matched 191,9B TLS connections ~70% matched q 1,203 fingerprints responsible for ~22% of the connections seen for more than 1,200 days 22% of the TLS connections initiated by software that has not updated their supported ciphersuites since 2014

Road Map Intro TLS Fingerprints Vulnerability Analysis Ecosystem Improvements

SSL/TLS versions Version Release Date SSL 2 Feb. 1995 SSL 3 Nov. 1996 TLS 1.0 Jan. 1999 TLS 1.1 Apr. 2006 TLS 1.2 Aug. 2008 TLS 1.3 Aug. 2018 Considered insecure q PCI council suggests migration from TLSv1.1 to newer versions (before June 2018) q Main options prior to TLS 1.2: q HMAC-then-CBC with DES, 3-DES, AES q HMAC-then-RC4 q Support for AEAD algorithms added in TLS 1.2: q AES-GCM (2x faster than CBC mode) q AES-CCM q Chacha20-Poly1305

SSL/TLS Negotiated versions

SSL/TLS Negotiated versions q Big uptake in TLS 1.2 starting in late 2013 q 5 years after it was standardized q Almost no SSLv2 (1.2k connections in Feb. 2018). q 360.1K SSLv3 connections in Feb. 2018 to 1789 different servers. q 4 servers received more than 50,000 SSLv3 connections; all belong to Symantec and Wayport. q Less than 25% of servers support SSLv3 (May 2018).

SSL/TLS Record Protocol Algorithms Advertised by Clients Client ClientHello Server ServerHello, Cert, [ServerKeyExchange,] ServerHelloDone ClientKeyExchange, CCS, ClientFinished CCS, ServerFinished ClientData ServerData

SSL/TLS Record Protocol Algorithms Advertised by Clients

SSL/TLS Record Protocol Algorithms Advertised by Clients

SSL/TLS Record Protocol Algorithms Advertised by Clients

SSL/TLS Record Protocol Algorithms Advertised by Clients

SSL/TLS Record Protocol Algorithms in Use Client ClientHello Server ServerHello, Cert, [ServerKeyExchange,] ServerHelloDone ClientKeyExchange, CCS, ClientFinished CCS, ServerFinished ClientData ServerData

SSL/TLS Record Protocol Algorithms in Use Percent monthly connections 90 80 70 60 50 40 30 20 10 0 Type AEAD CBC RC4 2012 04 01 2012 10 01 2013 04 01 2013 10 01 2014 04 01 2014 10 01 2015 04 01 2015 10 01 2016 04 01 2016 10 01 2017 04 01 2017 10 01 2018 04 01

SSL/TLS Record Protocol Algorithms in Use

SSL/TLS Record Protocol Algorithms in Use

Algorithms advertised vs algorithms used Advertised Used Changes are driven by server-side updates Clients are slow to drop support for older algorithms

Clients Offering RC4 Percent monthly connections 100 90 80 70 60 50 2012 01 01 2012 04 01 2012 07 01 2012 10 01 2013 01 01 2013 04 01 2013 07 01 2013 10 01 2014 01 01 2014 04 01 2014 07 01 2014 10 01 40 30 20 10 RC4 2 years RFC 7465 Firefox Browsers are the first to drop support of RC4 but still they are slow RC4 npasswords 2015 01 01 2015 04 01 2015 07 01 2015 10 01 RC4 no more Opera Chrome IE/Edge 2016 01 01 2016 04 01 2016 07 01 2016 10 01 2017 01 01 2017 04 01 2017 07 01 2017 10 01 Safari 2018 01 01 2018 04 01

Advertised Export, Null, and Anonymous Ciphers Percent monthly connections 40 35 30 25 20 15 10 5 0 2012 01 01 2012 04 01 2012 07 01 2012 10 01 2013 01 01 2013 04 01 2013 07 01 2013 10 01 2014 01 01 2014 04 01 2014 07 01 2014 10 01 2015 01 01 2015 04 01 2015 07 01 2015 10 01 2016 01 01 2016 04 01 2016 07 01 2016 10 01 Export: typically 40-bit security level, legacy of 1990s crypto restrictions. Anonymous: client/server not authenticated. Null: mostly grid traffic, integrity only (atypical) 2017 01 01 2017 04 01 2017 07 01 2017 10 01 Export Anonymous Null 2018 01 01 2018 04 01

Road Map Intro TLS Fingerprints Vulnerability Analysis Ecosystem Improvements

AEAD Usage

SSL/TLS: Key Exchange methods Percent monthly connections 90 80 70 60 50 40 30 20 10 0 2012 07 01 2012 10 01 2013 01 01 2013 04 01 2012 01 01 2012 04 01 2013 07 01 2013 10 01 2014 01 01 2014 04 01 2014 07 01 2014 10 01 2015 01 01 2015 04 01 2015 07 01 2015 10 01 2016 01 01 2016 04 01 Dotted line: beginning of Snowden revelations 2016 07 01 2016 10 01 2017 01 01 2017 04 01 2017 07 01 2017 10 01 2018 01 01 2018 04 01 Type DHE ECDHE RSA

TLS 1.3 Radical change q Touches all parts of the protocol q Parts of the handshake are encrypted (e.g., certificates) q Cipher suites reduced from hundreds to 5 (CBC-mode, RC4 ciphers removed) q TLS was just starting to see adoption at the end of our study. q 0.5% of clients advertised TLS 1.3 in February 2018. q 9.8% in March 2018. q 23.6% in April 2018. q But only 1.3% of connections actually negotiated TLS 1.3 in April 2018: server-side deployment lagging client-side. q 6 years for TLS 1.2 to be used in more than 50% of the connections

Summary q Several improvements in the ecosystem 90% of conns using TLSv1.0 No Forward Secrecy All conns using CBC-mode or RC4 >90% of conns using TLSv1.2 >90% conns use AEAD ciphers 90% conns use Forward Secrecy 2012 2018 q Fast support of TLSv1.3 even before the RFC is finalized

Summary q Backwards compatibility q Clients, especially browsers, are quick to adopt new algorithms they are slow to drop support for older ones q Risk of (new) downgrade attacks, room for misconfiguration q Poor implementations q Long tail of clients with support of Null, Anonymous and export ciphers

34

Relative Position of ciphers

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback