Overview of TLS v1.3. What s new, what s removed and what s changed?

Similar documents
Overview of TLS v1.3 What s new, what s removed and what s changed?

TLS1.2 IS DEAD BE READY FOR TLS1.3

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

State of TLS usage current and future. Dave Thompson

Securely Deploying TLS 1.3. September 2017

Your Apps and Evolving Network Security Standards

Coming of Age: A Longitudinal Study of TLS Deployment

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Protecting TLS from Legacy Crypto

Verifying Real-World Security Protocols from finding attacks to proving security theorems

MTAT Applied Cryptography

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Defeating All Man-in-the-Middle Attacks

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Summary on Crypto Primitives and Protocols

TLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1

CSCE 715: Network Systems Security

Secure Socket Layer. Security Threat Classifications

TLS 1.2 Protocol Execution Transcript

What s new in TLS 1.3 (and OpenSSL as a result) Rich Salz

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Internet security and privacy

Security Protocols and Infrastructures

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Attacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016

32c3. December 28, Nick goto fail;

ON THE SECURITY OF TLS RENEGOTIATION

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

Authenticated Encryption in TLS

TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key

Transport Layer Security

SSL Report: ( )

TLS 1.1 Security fixes and TLS extensions RFC4346

Findings for

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

SSL/TLS: Still Alive? Pascal Junod // HEIG-VD

Formally Analyzing the TLS 1.3 proposal

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Encryption. INST 346, Section 0201 April 3, 2018

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Solving HTTP Problems With Code and Protocols NATASHA ROONEY

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Transport Level Security

OPTLS and TLS 1.3. Hugo Krawczyk, Hoeteck Wee. TRON Workshop 2/21/2016

Secure Internet Communication

Chapter 8 Web Security

Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi

The case for ubiquitous transport-level encryption

CIS 5373 Systems Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSL Report: bourdiol.xyz ( )

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

MTAT Applied Cryptography

Transport Layer Security

SSL Visibility and Troubleshooting

But where'd that extra "s" come from, and what does it mean?

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

SSL/TLS. Pehr Söderman Natsak08/DD2495

CSE 127: Computer Security Cryptography. Kirill Levchenko

TLS Security and Future

Information Security CS 526

SSL Report: printware.co.uk ( )

Cryptography (Overview)

VNC Connect security whitepaper. Security analysis of the RFB 5.0 protocol. Version 1.2

The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1

Chapter 4: Securing TCP connections

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Overview. SSL Cryptography Overview CHAPTER 1

SSL Report: cartridgeworld.co.uk ( )

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

E-commerce security: SSL/TLS, SET and others. 4.1

Displaying SSL Configuration Information and Statistics

Was ist neu bei TLS 1.3?

TLS Extensions Project IMT Network Security Spring 2004

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

DROWN - Breaking TLS using SSLv2

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Requirements from the. Functional Package for Transport Layer Security (TLS)

Cipher Suite Configuration Mode Commands

Security Protocols and Infrastructures. Winter Term 2015/2016

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

TLSnotary - a mechanism for independently audited https sessions

Security Protocols and Infrastructures. Winter Term 2010/2011

Randomness Extractors. Secure Communication in Practice. Lecture 17

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Transport Layer Security

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

SSL Report: sharplesgroup.com ( )

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Cryptography MIS

HTTPS is Fast and Hassle-free with Cloudflare

CSCE 715: Network Systems Security

Transcription:

Overview of TLS v1.3 What s new, what s removed and what s changed?

About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a mathematician! This means no maths in this presentation.

Agenda History & Background. What s Been Removed. What s New & Changed. Cipher Suites. Handshake Changes. Hashed-Key Derivation Function. Session Resumption. Summary. 3

The Goals and Basics of TLS HISTORY & BACKGROUND 4

How SSL became TLS When Who What Comments 1994 Netscape SSL 1.0 designed. Never published as security flaws were found internally. 1995 Netscape SSL v2.0 published. Flaws found pretty quickly, which led to 1996 Netscape SSL v3.0 published. SSL becomes ubiquitous. 1999 IETF TLS v1.0 published (SSL v3.1) Incremental fixes, political name change and IETF ownership. 2006 IETF TLS v1.1 published (SSL v3.2) Incremental fixes and capabilities. 2008 IETF TLS v1.2 published (SSL v3.3) What we should all be using! 2014 IETF TLS v1.3 draft 1 (SSL v3.4) 2018 IETF TLS v1.3 draft 23 Expires July 15 5

Stop to consider the awesomeness! A Client and Server can have a secure conversation over an insecure medium having never met before.

What is a secure conversation? Privacy Conversation must be encrypted. Prevent eavesdropping attacks. Integrity Client & Server must be able to detect message tampering. Prevent Man In The Middle (MITM) attacks. Authentication Client needs to trust they re talking to the intended server. Prevent impersonation attacks.

TLS achieves this using various techniques Privacy Symmetric key encryption for application data. Typically Advanced Encryption Standard (AES). Integrity Authenticated Encryption with Additional Data (AEAD). Usually AES-GCM (Galois/Counter Mode) cipher mode. Authentication X509 certificates signed by a mutually trusted third party. Typically server authenticated only.

Flow of messages in a TLS conversation Open Socket Handshake Application Data Alert Close Socket 9

Flow of messages in a TLS conversation Handshake Agree a cipher suite. Agree a master secret. Authentication using certificate(s). Application Data Symmetric key encryption. AEAD cipher modes. Typically HTTP. Alerts Graceful closure, or Problem detected. Open Socket Handshake Application Data Alert Close Socket 10

https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html TLS V1.3

Key Goals of TLS v1.3 Key Goals of TLS v1.3: Clean up - Remove unsafe or unused features. Security - Improve security w/modern techniques. Privacy - Encrypt more of the protocol. Performance 1-RTT and 0-RTT handshakes. Continuity Backwards compatibility. 12

WHAT S REMOVED IN TLS V1.3? 13

What s removed in TLS v1.3 Key Exchange RSA Encryption algorithms: RC4, 3DES, Camellia. Cryptographic Hash algorithms: MD5, SHA-1. Cipher Modes: AES-CBC. Other features: TLS Compression & Session Renegotiation. DSA Signatures (ECDSA 224 bit). ChangeCipherSpec message type & Export strength ciphers. Arbitrary/Custom (EC)DHE groups and curves. 14

This has mitigated quite a few attacks RC4 Roos s Bias 1995 Fluhrer, Martin & Shamir 2001 Klein 2005 Combinatorial Problem 2001 Royal Holloway 2013 Bar-mitzvah 2015 NOMORE 2015 AES-CBC Vaudenay 2002 Boneh/Brumley 2003 BEAST 2011 Lucky13 2013 POODLE 2014 Lucky Microseconds 2015 RSA-PKCS#1 v1.5 Encryption Bleichenbacher 1998 Jager 2015 DROWN 2016 Compression CRIME 2012 Renegotiation Marsh Ray Attack 2009 Renegotiation DoS 2011 Triple Handshake 2014 3DES Sweet32 MD5 & SHA1 SLOTH 2016 SHAttered 2017 15

WHAT S NEW AND CHANGED? 16

What s New and Changed? Cipher Suites. Handshake. Hashed-Key Derivation Function (HKDF). Key Schedule. Sessions. 17

CIPHER SUITES

TLS v1.2 provides 37 Cipher Suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Protocol Key Exchange Authentication AEAD Cipher Mode PRF Hash Algorithm TLS 1.2 specifies 37 cipher suites. Add previous versions in: 319 cipher suites.

TLS 1.3 Cipher Suites Protocol TLS_AES_128_GCM_SHA256 AEAD Cipher Mode HKDF Hash Algorithm TLS v1.3 supports 5 cipher suites. TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 20

What happens to key exchange and authentication then? Key Exchange algorithms: DHE & ECDHE Only 5 ECDHE curve groups supported Only 5 DHE finite field groups supported Pre-Shared Key (PSK) PSK with (EC)DHE Digital Signature (Authentication) algorithms: RSA (PKCS#1 variants) ECDSA / EdDSA 21

HANDSHAKE CHANGES

TLS Handshake The handshake has three goals: Agree a cipher suite. Agree a master secret. Establish trust between Client & Server. Optimise for the most common use cases. Everyone* wants a secure conversation. Same cipher suites used across websites repeatedly. Clients connect to the same sites repeatedly. * ok, almost everyone! 23

TLS 1.2 Handshake

Three Stages of a TLS 1.3 Handshake Key Exchange Server Parameters Authentication 25

Client now makes assumptions about server support. Client sends: Cipher Suite options. List of supported groups/curves. (EC)DHE Key Share(s). Server sends: Cipher suite selection. (EC)DHE Key Share Client and Server now share a key. 26

The rest of the handshake is encrypted. Server sends: Encrypted Extensions Server Name Message Length and optionally many more Certificate Request Supported signature algorithms. 27

Client now makes assumptions about server support. Server sends: Certificate. Proof of private key possession. Finished. Application Data Client responds: Certificate. Proof of private key possession. Finished. 28

Efficiency Gains 29

GENERATING KEYS USING HKDF 30

HKDF (RFC5869) HMAC-based Key Derivation Function TLS <= v1.2 defines PRF algorithm. TLS v1.3 replaces this with HKDF. HKDF encapsulates how TLS uses HMAC. Re-used in other protocols. Separate cryptographic analysis already done. Provides 2 functions: Extract - create a pseudo-random key from inputs. Expand - create more keys from the extract output. HMAC is integral to HKDF. HMAC requires the Cryptographic Hash algorithm specified in the cipher suite (SHA256 or SHA384). 31

How the PRF is implemented PRF(secret, label, seed) P_HASH(secret, label + seed) HMAC(SHA-256) label + seed Key Material 32

TLS <= v1.2 Creating Key Material from a master secret Client MAC Key PRF Server MAC Key Client Write Key Pre-master Secret Master Secret Key Material >= 46 bytes 48 bytes Server Write Key PRF Client Write IV Server Write IV

TLS v1.3 Key Schedule Generation 0 PSK Early Secret Derive Secret Binder Key Client Early Traffic Secret Early Exporter Master Secret (EC)DHE Handshake Secret Derive-Secret HKDF-Expand-Label Derive Secret Client Traffic Handshake Secret Server Traffic Handshake Secret Derive-Secret Fixed HKDF-Extract 0 Master Secret Client Application Traffic Secret 0 Server App Traffic Secret 0 Exporter Master Secret Resumption Master Secret Client Application Traffic Secret N Server App Traffic Secret N Nonce N PSK Ticket N 34

What s the difference? PRE-SHARED KEYS AND SESSIONS 35

Why do we need sessions? Full handshakes are expensive. Key generation. Server (& Client) Authentication. Many HTTP clients need it. Download web page resources (JS, CSS, images). Dynamic web pages (XHR). May not be feasible to keep connection open. 36

How do we establish a PSK? Out-of-band Added to TLS in 2006 via RFC4279. During Handshake Client announces it supports session resumption. Server provides a PSK identities during handshake. After handshake, Server sends New Session Ticket Contains PSK identity, nonce and max age. The PSK is derived from master secret. Server can send multiple tickets. 37

So, TLS v1.3 supports PSK-based session resumption becomes 38

What about Zero Round Trip Time (0-RTT)? PSK means the key is known to both sides. Does this mean Client can send data immediately? Can we have a zero round trip time handshake? But Yes, we can! No forward secrecy for the early data sent by client. No guarantees of non-replay. 39

So, TLS v1.3 supports PSK-based session resumption becomes 40

Extensions Extensions everywhere! BACKWARDS COMPATIBILITY 41

Backwards Compatibility Backwards compatibility is important TLS v1.3 clients need to talk to TLS v1.2 servers. TLS v1.2 clients need to talk to TLS v1.3 servers. Structure of Hello messages is maintained. 12 extensions defined in the RFC. 9 extensions defined in other RFCs. E.g. server key exchange message replaced with key_share extension. 42

All the extensions Extension TLS 1.3 server_name [RFC6066] CH, EE max_fragment_length [RFC6066] CH, EE status_request [RFC6066] CH, CR, CT supported_groups [RFC7919] CH, EE signature_algorithms [RFC5246] CH, CR use_srtp [RFC5764] CH, EE heartbeat [RFC6520] CH, EE application_layer_protocol_negotiation [RFC7301] CH, EE signed_certificate_timestamp [RFC6962] CH, CR, CT client_certificate_type [RFC7250] CH, EE server_certificate_type [RFC7250] CH, CT padding [RFC7685] CH key_share CH, SH, HRR pre_shared_key CH, SH psk_key_exchange_modes CH early_data CH, EE, NST cookie CH, HRR supported_versions CH certificate_authorities CH, CR oid_filters CR post_handshake_auth CH Acronym CH SH EE CT CR NST HRR Message Client Hello Server Hello Encrypted Extensions Certificate Certificate Request New Session Ticket Hello Retry Request 43

Backwards Compatibility Considerations Protocol Version is mentioned in every message. Now deprecated/fixed to old version values Handshake claims 1.2, App Data claims 1.0. New extension specifies list of supported versions. Fixed values to prevent downgrade attacks. Server Random has fixed last 8 bytes DOWNGRD[0x01] for TLS 1.2 clients. DOWNGRD[0x00] for <= TLS 1.1 clients. 44

And that s TLS v1.3! Removed Anything that was unused, unsafe or didn t offer significant value. Added Handshake encryption. 1-RTT and 0-RTT PSK / Session Resumption. Changed Cipher Suites. Handshake. Hashed-Key Derivation Function (HKDF). Key Schedule. Sessions. 45

THANK YOU FOR LISTENING!

My own thoughts? The Good: Massive efficiency gains*. Fewer choices for Client & Server means reduced attack vectors. The Bad: Extensions. extensions everywhere (21) A lot of added complexity for backwards compatibility. Specification consumability is questionable. * 0-RTT has a whiff of future regret about it. 47

Unused Slides APPENDIX 48

What s the point of the master secret? Client and Server need: Keys for symmetric encryption. Initialisation Vectors for AEAD Cipher Modes. Keys & IVs generated from a master secret. TLS defines a Key Schedule How HKDF algorithm is used. How to generate an infinite amount of secure key material. So, how does HKDF work? 49

HMAC-based Extract-and-Expand Key Derivation Function HMAC (IS THE NEW PRF) 50

What is HKDF used for? Key Schedules Handshake Secrets. Early Traffic Secrets. Master Secret. Application Data Secrets. Initialisation Vectors. Transcript Hashes Certificate Verification. Handshake Finished Keys. 51

HKDF (RFC5869) HMAC-based Extract-and-Expand Key Derivation Function TLS <= v1.2 defines PRF algorithm. HKDF encapsulates how TLS uses HMAC. Re-used in other protocols. Separate cryptographic analysis already done. Provides 2 functions: Extract - create a pseudo-random key from inputs. Expand - create more keys from the first key. HMAC is integral to HKDF. 52

Cryptographic MAC Function: HMAC It creates a Message Authentication Code using: Message data. A shared key. A cryptographic hash algorithm (set in cipher suite). SHA256 or SHA384. 53

Message Authentication Codes - Integrity Keyed-Hash Message Authentication Code 0x5c5c5c5c5c5c5c Ight 0x36363636363636 XOR XOR XOR d Secret Key message hash XOR d Secret Key hash hash HMAC 54

HKDF Extract & Expand Extract Creates a Pseudo-Random Key (PRK) HKDF-Extract(salt, IKM) -> PRK PRK = HMAC-Hash(salt, IKM) Expand Creates infinite key material from the PRK. Iteratively calls HMAC with an increasing counter. HKDF-Expand(PRK, info, L) -> OKM T(0) = empty string (zero length) T(1) = HMAC-Hash(PRK, T(0) info 0x01) T(2) = HMAC-Hash(PRK, T(1) info 0x02) 55

However, it s unfortunately not that simple Derive-Secret(Secret, Label, Messages[]) = HKDF-Expand( Secret, enum char[6] Variable[12] Variable[255] Length tls13 Label HashValue Hash.Length) Variable Messages [0] Variable Messages [1] Variable Hash( ) Messages [n], 56

Client says Hello CH Parameter Description Notes Protocol Version Legacy slot for protocol version. 0x0303 TLS v1.2 Random The Client Random No more Unix time Session ID Session ID Forced 0 byte length Cipher Suites Symmetric cipher options One of Five Compression Methods N/A Must specify not supported. Supported Versions List of uint16 0x0304 (TLS v1.3) Signature Algorithms List of supported Required for Client Cert Auth Negotiated Groups Key Share Pre-Shared Key Required for (EC)DHE Required for (EC)DHE Required for PSK (incl. session resumption) 57

First Contact: Client Hello Client initiates the connection. Contents: Version (Legacy) Unused, must be set to 0x0303 (TLS v1.2) Client Random Used in PRF to create master secret. Session ID (Legacy) Ignored, kept for backwards compatibility. Supported Cipher Suites What cipher suites this client can support. Compression (Legacy) Ignored, kept for backwards compatibility Extensions (TLS v1.3) List of supported TLS versions (mandatory) Extensions (Others) Other extensions, e.g. SNI 58

RSA Key Exchange & Forward Secrecy The problem with RSA key exchange: The pre-master secret is always encrypted with the public certificate key in the certificate. The certificate doesn t change (often). If the private key was ever compromised, Eve could read every conversation. 59

SHA-1 & MD5 Weaknesses Cryptographic hash algorithm features: Find any m and m such that hash(m)=hash(m ) Find m given m such that hash(m)=hash(m ) Find m given x such that hash(m)=x MD5 vulnerabilities: Collision attack done. Theoretical attack on pre-image (2 123 operations). SHA-1 vulnerabilities: Collisions attack given 6500 CPU-years or 1000-GPU years. Reduced cryptographic strength from 160 bits to 77 bits. 60

Renegotiation Attacks [RRDO10] 61

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback