TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations
Presenter Photo Motaz Alturayef Jubial Cyber Security Conference
70% Privacy and security concerns are driving encrypted traffic growth, which is expected to represent 70 percent of all Internet traffic this year. Source: Sandvine, Global Internet Phenomena Spotlight, 2016
The history of SSL and TLS? SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security fixes and TLS extensions RFC4346 TLS 1.2 Added support for authenticated encryption (AES-GCM, CCM modes) and removed hard-coded primitives RFC5246 1994 1995 1999 2006 2008 Crap hits the fan First set of public SSL exploits
SSL isn t perfect SSL vulnerabilities exposed August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack RFC 5746 TLS extension for secure renegotiation quickly mainstreamed BEAST & CRIME Client-side or MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws Lucky 13 Another timing attack RC4 Attacks Weakness in CBC cipher making plaintext guessing possible TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it! August 2009 February 2010 September 2011 February 2013 March 2013 March 2013 April 2014 POODLE Padding oracle attack on SSLv3 Dire POODLE Padding oracle attack on TLS FREAK Implementation attack on export ciphers LogJam Implementation attack on weak DH
How TLS1.2 works Client Server Client Hello Support Cipher Suites Server Hello Chosen Cipher Suites Key Share Key Share Finished Finished HTTP GET HTTP Response
How TLS1.3 works Client Server Client Hello Support Cipher Suites Key Share Server Hello Chosen Cipher Suites Key Share Finished Certificate and Signature Finished HTTP GET HTTP Response
Speeding Up TLS1.2 Resumption Client Server Client Hello Session ID Server Hello Finished Finished HTTP GET HTTP Response
TLS1.3 0-RTT Resumption Client Server Client Hello Session Ticket Key Share HTTP GET Server Hello Key Share Finished HTTP Response
TLS1.3 is Anti-Downgrade TLS1.3 uses a smart of way of detecting of there is a MiTM trying to downgrade the connection. This Achieved by sending Random number with ClientHello So connection cannot be downgraded if the client support TLS1.3
Removed with TLS1.3 Static RSA HandShake CBC RC4 SHA1 MD5 Compression Renegotiation
Keeping Your SSL up to Date
Understanding SSL? Key Exchange For exchanging keying information at the start of the session Message (bulk) Encryption Uses the master secret to encrypt data between parties RSA DHE_RSA ECDH(E)_RSA ECDH(E)_ECDSA RSA AES DES/3DES RC4 Camellia Message Authentication Produces one-way encrypted hashes of data for data integrity MD5 SHA
Reading SSL? Cryptographic notation Protocol Authentication Algorithm Strength Mode TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 Key Exchange Message (bulk) Encryption Message Authentication Ivan Ristic: Bulletproof SSL and TLS
SSL Strength SSL intelligence and best practices Achieving an A+ grade Require Secure Renegotiation [A-] Disable SSLv2 and SSLv3 (default in 11.5+) [B] Disable RC4 [B/C] Disable 3DES SHA1 Certs as no longer accepted Prefer Perfect Forward Secrecy (prioritize ECDHE, DHE) [A-/B], Min 2048 Enable TLS_FALLBACK_SCSV [A] Enable HSTS [A] Patch to TMOS 11.4.1HF7, 11.5.1HF7, 11.5.2 or 11.6 [C or F] Use an explicit and strong cipher string Extra credit for PCI compliance Disable TLS 1.0 Reference : https://github.com/ssllabs/research/wiki/ssl-server-rating-guide NATIVE:!SSLv2:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:-MD5:-SSLv3:-RC4
Sources CloudFlair: An overview of TLS 1.3 and Q&A Presentation By Filippo Valsorda F5 Networks: SSL Presenation RFC: The Transport Layer Security (TLS) Protocol Version 1.3 draft-ietf-tls-tls13-19