Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello, TLC 1.3

Buzzvil
December 12, 2018

Hello, TLC 1.3

Buzzvil

December 12, 2018
Tweet

More Decks by Buzzvil

Other Decks in Technology

Transcript

  1. Disclaimer • This presentation may have incorrect information • Because

    • I’m not a • If you have any questions, they will help you Hacker Expert
  2. History of TLS • Netscape developed the Secure Sockets Layer

    (SSL) Protocol TLS v1.3 2014.04: first draft 2016.09: available by Cloudflare 2018.03: 28Th draft 2018.08: Finalized (RFC 8446)
  3. Pass Notes in Class • Sender • Prepare a paper

    • Write your name • Write a message • Fold it • Write the receiver’s name • Pass it to a nearby one • Deliverer • See the name on the outside of the note • Find where the receiver is • Pass it to a shortest path or to a closer one • Receiver • See the name on the outside of the note • Open it • Check the name of the sender • Read the message
  4. Pass Notes in Class • Sender • Prepare a paper

    • Write your name • Write a message • Fold it • Write the receiver’s name • Pass it to a nearby one • Deliverer • See the name on the outside of the note • Find where the receiver is • Pass it to a shortest path or to a closer one • Receiver • See the name on the outside of the note • Open it • Check the name of the sender • Read the message • Client • Prepare a buffer • Write your IP address • Write a payload • Create a packet from the buffer • Write the receiver’s IP address • Pass it to a nearby one • Router • See the receiver’s IP address of the packet • Find where the receiver is (routing protocol) • Pass it to a shortest path or to a better one • Receiver • See the receiver’s IP address of the packet • Parse it • Check the IP address of the sender • Read the payload Pass Packets in the Internet
  5. Pass Notes in Class • Sender • Prepare a paper

    • Write your name • Write a message • Fold it • Write the receiver’s name • Pass it to a nearby one • Deliverer • See the name on the outside of the note • Find where the receiver is • Pass it to a shortest path or to a closer one • Receiver • See the name on the outside of the note • Open it • Check the name of the sender • Read the message • Client • Prepare a buffer • Write your IP address • Write a payload • Create a packet from the buffer • Write the receiver’s IP address • Pass it to a nearby one • Router • See the receiver’s IP address of the packet • Find where the receiver is (routing protocol) • Pass it to a shortest path or to a better one • Receiver • See the receiver’s IP address of the packet • Parse it • Check the IP address of the sender • Read the payload Pass Packets in the Internet Is it secure protocol?
  6. Security Threats and Goals • Eve can communicate to Alice

    pretending to be Bob • Authentication • Your buddy is Bob, not Eve • Eve can read the messages • Confidentiality (Privacy) • Only Alice and Bob can read, no one else (including Eve) can read it • Eve can modify or forge the messages • Integrity • The messages written by Alice is not altered
  7. • Security Goal • Authentication • Confidentiality (Privacy) • Integrity

    • Cipher Suite • A set of algorithms that help secure a network connection How Has TLS Achieved the Security Goals?
  8. Cryptographic Primitives • Low-level cryptographic algorithms that are used to

    build cryptographic protocols • Symmetric-Key Cryptography: Cipher • Asymmetric-Key Cryptography: Key establishment, Authentication • Diffie-Hellman Key Exchange: Key establishment • Cryptographic Hash Function: Data Integrity • Message Authentication Code (MAC): Data Integrity Cipher Suite
  9. Symmetric-Key Cryptography • Uses a same keys (session key) on

    encryption and decryption • Used for block/stream cipher because it is fast • Types • Block Ciphers: AES, SEED, ARIA • Stream Ciphers: ChaCha20, RC4 • Confidentiality • Authentication • How to share the key?
  10. Asymmetric-Key Cryptography • Use the different keys on encryption and

    decryption • Private key • Public key • Algorithms: RSA, DSA • Authentication • Key exchange f
  11. Digital Certificates • A digital document certifies the ownership of

    a public key • Algorithms • RSA • ECDSA • ANON • Authentication 28 f Alice Bob
  12. Key Exchange / Agreement / Establishment • The methods to

    share same key on insecure channel • Types • RSA based • Diffie-Hellman (DH) based: DH, DHE, ECDH, ECHDE f
  13. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f
  14. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f Is Bob’s private key always safe for its lifetime?
  15. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f Is Bob’s private key always safe for its lifetime?
  16. The Heartbleed Bug – CVE-2014-0160 • A buffer over-read vulnerability

    due to missing bounds check in the implementation of the TLS heartbeat extension in the OpenSSL library • Long-lived private key can be compromised in the future
  17. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f Is Bob’s private key always safe for its lifetime?
  18. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f What If Eve keeps records all communications and obtains the Bob’s private key later? Is Bob’s private key always safe for its lifetime?
  19. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f What If Eve keeps records all communications and obtains the Bob’s private key later? Is Bob’s private key always safe for its lifetime?
  20. Perfect Forward Secrecy (PFS) 37 • The conversation are kept

    secure even if the long-term private key is compromised in the future To provide PFS • Use temporary session key • Do not save session key in permanent storage f
  21. Diffie-Hellman(-Merkle) Key Exchange (DHM, DH) • An method allows two

    parties can have a shared session key over an insecure channel without prior knowledge • Algorithm • based on the discrete logarithm problem • ! = #$ %& = ((%$)%& = ((%&)%$= #& %$ • It’s hard to derive ! with just #& and #$ • Pros • Share a session key through unsafe channel • Perfect forward secrecy 38 f Public
  22. Data Integrity • Hash Function • Keyed Hash Function •

    Message Authentication Code (MAC) • Pseudo-Random Functions (PRF) 39 f
  23. Hash Function • Any function that maps data of arbitrary

    size to data of a fixed size • Cryptographic Hash Function • It has cryptographic properties • Pre-image resistance • Second pre-image resistance • Collision resistance • MD5, SHA-N, BLAKE2 • Integrity • Anyone can forge any messages • ex) python2 -c "print(hash('1’))” • Always same 40 f
  24. Message Authentication Code (MAC) • A secret keyed hash function

    used to protect both a data integrity and its authenticity • Resistant to forgery attack • HMAC, CMAC, Poly1305, SipHash • Integrity and Authentication • ex) python3 -c "print(hash('1’))” • Different per process 41 f
  25. TLS 1.2 Handshake Overview 1. Check the certificate of the

    peer 2. Choose a cipher suite that both support 3. Setup and share the parameters and the key of the cipher suite 4. Encrypt / decrypt suing that cipher suite
  26. Major Difference from TLS 1.2 • 1-RTT handshake • initial

    support for 0-RTT • TLS 1.2 version negotiation mechanisms are deprecated • Split a cipher suite into cipher, key exchange and signature algorithm • All key exchange algorithms provide forward secrecy • EdDSA is added into the signature algorithms • Remove insecure ciphers (CBC-mode, RC4, SHA1, MD5, …) • Only AEAD is allowed for symmetric cryptography • The entire handshake is signed • All handshake messages after ServerHello are encrypted • Elliptic curve algorithms are in the base spec Security Speed
  27. Handshakes Comparison • TLS 1.3 reduces 1 RTT TLS 1.2

    Full Handshake TLS 1.3 Full Handshake
  28. TLS Resumption • Remember the last connection, and cut short

    the handshake TLS 1.2 – 1-RTT TLS 1.3 – 0-RTT
  29. Simplify Negotiation • TLS 1.3 removes many legacy features, and

    split between three orthogonal negotiations
  30. Signature Algorithms TLS 1.2 • RSA • DSA • ECDSA

    TLS 1.3 • RSA • ECDSA • EdDSA
  31. Authenticated Encryption with Associated Data (AEAD) • A form of

    encryption which simultaneously provides confidentiality, integrity, and authenticity on the data • The Attempts using cryptography and MAC before AE • Encrypt-and-MAC (E&M) • Encrypt-then-MAC (EtM) • MAC-then-Encrypt (MtE) • à Error prone and difficult • AD: The data that needs integrity, not confidentiality • ex) header
  32. ChaCha20-Poly1305 • AES • AES-CBC • Widely used • Attack

    on CBC mode is emerged • AES-GCM • No known breaks • Slow • Small size nonce (8 bytes) • ChaCha20-Poly1305 • Faster than AES • No known breaks • Chosen by • Google • Cloudflare • TLS 1.3
  33. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript
  34. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript
  35. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript
  36. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript
  37. Encryption after ServerHello • TLS 1.3 reduces 1 RTT TLS

    1.2 Full Handshake TLS 1.3 Full Handshake
  38. Elliptic Curve Cryptography • Using special computations on elliptic curve

    (!" = $% + '$ + () What is the pros? • Short encryption key • 256 bits are enough to offer 128-bits of security (compare to RSA-3072) • Faster • With 256-bit key is over 20 times faster than RSA-2048 RSA key size (bits) ECC key size (bits) 1024 160 2048 224 3072 256 7680 384 15360 521
  39. Elliptic-Curve Diffie-Hellman Key Exchange (ECDH) • An method allows two

    parties can have a shared secret key over an insecure channel without prior knowledge • Traditional DIffie-Hellman (DH) • ! = #$ %& = ((%$)%& = ((%&)%$= #& %$ • Elliptic-Curve Diffie-Hellman (ECDH) • ! = %& #$ = %& (%$ *) = %$ (%& *) = %$ #& • Pros • Share a session key through unsafe channel • Perfect forward secrecy
  40. The Version Negotiation of older TLS • Backward Compatibility of

    TLS 1.0 • SSLv3 = 3.0 = 0x0300 • TLS 1.0 = 3.1 = 0x0301 • TLS 1.1 = 3.2 = 0x0302 • TLS 1.2 = 3.3 = 0x0303 • TLS 1.3 = 3.4 = 0x0304 Client (TLS 1.3) 0x0304 Server (TLS 1.2) 0x0303 0x0303
  41. The Version Negotiation of older TLS • Backward Compatibility of

    TLS 1.0 • SSLv3 = 3.0 = 0x0300 • TLS 1.0 = 3.1 = 0x0301 • TLS 1.1 = 3.2 = 0x0302 • TLS 1.2 = 3.3 = 0x0303 • TLS 1.3 = 3.4 = 0x0304 Client (TLS 1.3) 0x0304 Server (TLS 1.2) 0x0303 0x0303 Disconnect
  42. Solutions • Make the ClientHello packet of v1.3 look like

    that of v1.2 • Share the supported version list in extension ClientHello legacy_version = 0x0303; /* TLS 1.2 */ SupportedVersions List<ProtocolVersion> versions = { 0x0304, 0x0303, 0x0302 }; /* TLS 1.3, 1,2, 1.1, prefer order */ … ClientHello client_version = 0x0303; /* TLS 1.2 */ … TLS 1.2 TLS 1.3 Extensions
  43. DJB • Danial J. Bernstein • Bernstein v. United States

    • Sued for the restriction on the export of cryptography from the United States • SipHash • Curve25519 • ed25519 • ChaCha20 • Poly1305 The reason that the Korean Internet became a ActiveX hell
  44. Candidate for Presentation Items (My interests) • CPU Optimization, Meltdown

    and Spectre • WiFi Network is Insecure, Waiting for WPA3 • VPN • Elliptic Curve Cryptography • ….
  45. Discrete Logarithm Problem • !" = $ %&' ( •

    A, B, x are integers, p is a public prime • A is a public information, B is a public key • It is easy to calculate B from x • It is hard to calculate x from B
  46. Pseudo-Random Function (PRF) • A keyed hash function whose output

    looks like random values • MAC + The output should look like random: Stronger than MAC • HMAC, CMAC, Poly1305, SipHash • Integrity, Authentication • != Pseudo-Random Generator (PRG) • PRG: only if the input was chosen at random • PRF: regardless of how the inputs were chosen 87 f
  47. The Version Negotiation of older TLS • Backward Compatibility of

    TLS 1.0 • SSLv3 = 3.0 = (3, 0) • TLS 1.0 = 3.1 = (3, 1) • TLS 1.1 = 3.2 = (3, 2) • TLS 1.2 = 3.3 = (3, 3) • Browser’s options • Enable 1.2 àMany sites will stop • Delay the deployment of 1.2 until these servers are fixed • Retry with an older version of TLS if connection fails Client (TLS 1.2) (3, 3) Server (TLS 1.0) (3, 1) (3, 1) Disconnect
  48. Padding Oracle On Downgraded Legacy Encryption (POODLE) Fixes • Disable

    SSLv3 on both side • Enable a new TLS feature SCSV • Client mark its supported versions when downgraded • Server can detect the attack
  49. Discrete Logarithm on Elliptic Curve • ! = #$ %&'

    ( • P, G is a point with integer coordinate, n is an integer, p is a public prime • G is a public information, P is a public key • It is easy to calculate P from n • It is hard to calculate n from P • Provides same security level with smaller keys
  50. Discrete Logarithm on Elliptic Curve • ! = #$ %&'

    ( • P, G is a point with integer coordinate, n is an integer, p is a public prime • G is a public information, P is a public key • It is easy to calculate P from n • It is hard to calculate n from P • Provides same security level with smaller keys
  51. Discrete Logarithm on Elliptic Curve • ! = #$ %&'

    ( • P, G is a point with integer coordinate, n is an integer, p is a public prime • G is a public information, P is a public key • It is easy to calculate P from n • It is hard to calculate n from P • Provides same security level with smaller keys
  52. Security Level (Bits of security) • n-bit security: 2" operations

    are needed to break it • Sufficient Length • 128 bits of security is sufficient until next revolutionary breakthrough in either mathematics or technology • 112 bits of security is sufficient until 2030 • Symmetric cryptography • Normally equal to the key size • AES-128 (key size 128 bits) offers a 128-bit security level • Asymmetric cryptography • The entropy is decrease because it have to provide asymmetric function • RSA-3072 offers a 128-bit security level
  53. TLS Resumption • Remember the last connection, and cut short

    the handshake Browser can send only GET requests in 0-RTT