Securely Deploying TLS 1.3. September 2017

Similar documents
History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

Overview of TLS v1.3 What s new, what s removed and what s changed?

CSCE 715: Network Systems Security

TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key

MTAT Applied Cryptography

Coming of Age: A Longitudinal Study of TLS Deployment

Overview of TLS v1.3. What s new, what s removed and what s changed?

Auth. Key Exchange. Dan Boneh

Security Protocols and Infrastructures

Chapter 4: Securing TCP connections

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

The Road to TLS 1.3. Eric Rescorla Mozilla The Road to TLS 1.3 1

TLS1.2 IS DEAD BE READY FOR TLS1.3

TLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Securing IoT applications with Mbed TLS Hannes Tschofenig

Internet security and privacy

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

State of TLS usage current and future. Dave Thompson

TLS 1.2 Protocol Execution Transcript

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Transport Layer Security

CS 161 Computer Security

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Practical Issues with TLS Client Certificate Authentication

What s new in TLS 1.3 (and OpenSSL as a result) Rich Salz

Transport Layer Security

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Security Protocols and Infrastructures. Winter Term 2010/2011

Transport Layer Security

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

CS 356 Internet Security Protocols. Fall 2013

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Cryptography (Overview)

TLS 1.3. Eric Rescorla Mozilla draft-ietf-tls-tls13-21 IETF 100 TLS 1

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Introduction to cryptology (GBIN8U16) Introduction

Security Protocols and Infrastructures. Winter Term 2015/2016

SSL/TLS. Pehr Söderman Natsak08/DD2495

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

Overview. SSL Cryptography Overview CHAPTER 1

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

TLS 1.1 Security fixes and TLS extensions RFC4346

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

WAP Security. Helsinki University of Technology S Security of Communication Protocols

MTAT Applied Cryptography

Authenticated Encryption in TLS

TLS 1.3: A Collision of Implementation, Standards, and Cryptography

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices. Abstract

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

Was ist neu bei TLS 1.3?

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Fast-Track Session Establishment for TLS

Network Working Group. Intended status: Standards Track. R. Housley Vigil Security, LLC P. Turner Venafi S. Fenter July 3, 2017

ON THE SECURITY OF TLS RENEGOTIATION

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

HTTPS is Fast and Hassle-free with Cloudflare

Summary on Crypto Primitives and Protocols

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Performance Implications of Security Protocols

TLS Extensions Project IMT Network Security Spring 2004

Cryptology complementary. Introduction

Secure Socket Layer. Security Threat Classifications

Formally Analyzing the TLS 1.3 proposal

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Key Encryption as per T10/06-103

L13. Reviews. Rocky K. C. Chang, April 10, 2015

SECRETS OF THE ENCRYPTED INTERNET: WORLDWIDE CRYPTOGRAPHIC TRENDS

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Crypto meets Web Security: Certificates and SSL/TLS

Security analysis of DTLS 1.2 implementations

Understanding Traffic Decryption

18-642: Cryptography 11/15/ Philip Koopman

Part III TLS 1.3 and other Protocols

TLS in Practice including the road to 1.3

CS 161 Computer Security

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

TLS authentication using ETSI TS and IEEE certificates

Internet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)

VPN Overview. VPN Types

OPTLS and TLS 1.3. Hugo Krawczyk, Hoeteck Wee. TRON Workshop 2/21/2016

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

PROTECTING CONVERSATIONS

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

Alice in Cyber world

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

How to Configure SSL Interception in the Firewall

2.1 Basic Cryptography Concepts

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

CIS 4360 Secure Computer Systems Applied Cryptography

CIS 5373 Systems Security

Configuring Internet Key Exchange Security Protocol

E-commerce security: SSL/TLS, SET and others. 4.1

Transcription:

Securely Deploying TLS 1.3 September 2017

Agenda Why TLS 1.3? Zero Round Trip Time (0-RTT) requests Forward secrecy Resumption key management

Why TLS 1.3?

Speed TLS impacts latency, not thoroughput Protocol setup requires one round trip Resume can be zero round trips Send application data ASAP

TLS 1.2 vs 1.3 ClientHello KeyShare ClientHello ClientKeyExchange ChangeCipherSpec Finished ServerHello Certificate ServerKeyExchange ServerHelloDone ChangeCipherSpec Finished Finished Application Data ServerHello KeyShare Certificate CertificateVerify Finished Application Data Application Data Application Data

Your POODLE will not DROWN in CRIME All symmetric ciphers are AEAD AES-GCM, AES-CCM, ChaCha20-Poly1305 All key exchanges are ephemeral FFDH over standard groups and ECDH All signatures are modern RSA-PSS, ECDSA, EdDSA Troublesome features discarded Compression, Export Ciphers, Explicit IV

Why TLS 1.3? Lower latency == happier users Conservative design == less churn Heavily reviewed and deployed today

Zero Round Trip Time

Standard Setup vs. 0-RTT ClientHello KeyShare Finished Application Data ServerHello KeyShare Certificate CertificateVerify Finished Application Data ClientHello EarlyData PreSharedKey KeyShare Application Data EndOfEarlyData Finished ServerHello PreSharedKey KeyShare Finished Application Data Application Data Application Data

Security implications 0-RTT requests can be replayed Let s replay Transfer 5 dollars to Scott Another corner case early server data We have a layering violation!

Reetbleed!

How on Earth did this happen? Unintended replays are a problem now Important transactions are idempotent Spec suggests users opt-in to 0-RTT Early draft adopters are working on patterns for application-level checks

Everything is ok

Zero Round Trip Time Do Design for idempotence Check for your stack s flag if you can t Do Not... Turn on 0-RTT blindly for all requests Make a logo

Monitoring Traffic Securely

Agreeing on a common key 1. Client generates key and encrypts to server s public key 2. Client and Server use Diffie-Hellman with ephemeral parameters

RSA Key Exchange Option 1 is secure so long as the server s private key is never disclosed If that key is leaked or broken, all historic traffic can be decrypted

Diffie-Hellman Key Exchange Option 2 is secure as long as the server is not using a compromised key Attacker needs server private key AND intercept the DH exchange to compromise the session key

You get forward secrecy! All key exchanges in TLS 1.3 provide forward secrecy Great for practical security Great for hedge against unknown cryptographic breaks...but

Monitoring solutions impacted If you rely on decrypting historic ciphertext, this means you There s a reason - we broke attackers that want to do the same thing IF you are affected, hit the whiteboard

Monitoring Traffic Securely Do: Deploy TLS 1.3 Monitor managed environments Don t: Hobble TLS 1.3 Prefer down-level for ease of monitoring

Resumption Key Management

Session Resumption Remember 0-RTT? That pre-shared key needs to be shared In practice, client informs server of key

Session Resumption 1. Keep a list of all historic keys and give the client an identifier 2. Keep one key, use it to encrypt PSK 24

Session Resumption The spec leaves it to the implementer Option 2 is a safe bet Key management is your problem 25

Key Management Hiccups Unsynchronized keys across servers 0-RTT Fails Failing to rotate aggressively Great single point of failure Failing to negotiate ephemeral key Limited benefits of forward secrecy 26

Resumption Key Management Do: Rotate keys on an aggressive schedule Distribute keys to server farm securely Negotiate ephemeral keys after PSK Don t: Think it is secure out of the box 27

Thank You!

Thank You Crypto Services at NCC Group Joe Salowey of Tableau Nick Sullivan of Cloudflare The IETF Working Group

More Information TLS 1.3 Specification https://github.com/tlswg/tls13-spec Bulletproof TLS Newsletter https://www.feistyduck.com/bulletproof-tlsnewsletter/ Cloudflare Blog https://blog.cloudflare.com/

Questions? Comments? scott.stender@nccgroup.trust @ScottStender

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback