Hello TLS 1.3

Transcript

1. Hello, TLS 1.3 2018.09.12 Brice Bang Buzzvil Hello, TLS 1.3

   2018.09.12 Brice Bang Buzzvil

2. Disclaimer • This presentation may have incorrect information • Because

   • I’m not a • If you have any questions, they will help you Hacker Expert

3. August 10, 2018

4. August 10, 2018

5. August 10, 2018 Have you ever waited for TLS 1.3

   to be published here?

6. History of TLS • Netscape developed the Secure Sockets Layer

   (SSL) Protocol TLS v1.3 2014.04: first draft 2016.09: available by Cloudflare 2018.03: 28Th draft 2018.08: Finalized (RFC 8446)

7. TLS Transport Layer Security

8. TLS Transport Layer Security Transport Layer Security

9. Transport Layer

10. The States of Digital Data

11. What Is The Transport Layer? 802.11 IP TCP HTTP

12. What Is The Transport Layer? 802.11 IP TCP HTTPS

13. Routing Sender(Client) Receiver(Server)

14. Routing Sender(Client) Receiver(Server)

15. Routing Have you ever sent/passed/received a note during class? in

    class

16. Pass Notes in Class • Sender • Prepare a paper

    • Write your name • Write a message • Fold it • Write the receiver’s name • Pass it to a nearby one • Deliverer • See the name on the outside of the note • Find where the receiver is • Pass it to a shortest path or to a closer one • Receiver • See the name on the outside of the note • Open it • Check the name of the sender • Read the message

17. Pass Notes in Class • Sender • Prepare a paper

    • Write your name • Write a message • Fold it • Write the receiver’s name • Pass it to a nearby one • Deliverer • See the name on the outside of the note • Find where the receiver is • Pass it to a shortest path or to a closer one • Receiver • See the name on the outside of the note • Open it • Check the name of the sender • Read the message • Client • Prepare a buffer • Write your IP address • Write a payload • Create a packet from the buffer • Write the receiver’s IP address • Pass it to a nearby one • Router • See the receiver’s IP address of the packet • Find where the receiver is (routing protocol) • Pass it to a shortest path or to a better one • Receiver • See the receiver’s IP address of the packet • Parse it • Check the IP address of the sender • Read the payload Pass Packets in the Internet

18. Pass Notes in Class • Sender • Prepare a paper

    • Write your name • Write a message • Fold it • Write the receiver’s name • Pass it to a nearby one • Deliverer • See the name on the outside of the note • Find where the receiver is • Pass it to a shortest path or to a closer one • Receiver • See the name on the outside of the note • Open it • Check the name of the sender • Read the message • Client • Prepare a buffer • Write your IP address • Write a payload • Create a packet from the buffer • Write the receiver’s IP address • Pass it to a nearby one • Router • See the receiver’s IP address of the packet • Find where the receiver is (routing protocol) • Pass it to a shortest path or to a better one • Receiver • See the receiver’s IP address of the packet • Parse it • Check the IP address of the sender • Read the payload Pass Packets in the Internet Is it secure protocol?

19. Security

20. The Protocols Are Not Secure Sender(Client) Receiver(Server) Alice Bob Eve

21. The Protocols Are Not Secure Sender(Client) Receiver(Server) Man-in-the-Middle Attack -

    Can’t trust the middle Alice Bob Eve

22. Security Threats and Goals • Eve can communicate to Alice

    pretending to be Bob • Authentication • Your buddy is Bob, not Eve • Eve can read the messages • Confidentiality (Privacy) • Only Alice and Bob can read, no one else (including Eve) can read it • Eve can modify or forge the messages • Integrity • The messages written by Alice is not altered

23. • Security Goal • Authentication • Confidentiality (Privacy) • Integrity

    • Cipher Suite • A set of algorithms that help secure a network connection How Has TLS Achieved the Security Goals?

24. Cipher Suites of TLS 1.2

25. Cryptographic Primitives • Low-level cryptographic algorithms that are used to

    build cryptographic protocols • Symmetric-Key Cryptography: Cipher • Asymmetric-Key Cryptography: Key establishment, Authentication • Diffie-Hellman Key Exchange: Key establishment • Cryptographic Hash Function: Data Integrity • Message Authentication Code (MAC): Data Integrity Cipher Suite

26. Symmetric-Key Cryptography • Uses a same keys (session key) on

    encryption and decryption • Used for block/stream cipher because it is fast • Types • Block Ciphers: AES, SEED, ARIA • Stream Ciphers: ChaCha20, RC4 • Confidentiality • Authentication • How to share the key?

27. Asymmetric-Key Cryptography • Use the different keys on encryption and

    decryption • Private key • Public key • Algorithms: RSA, DSA • Authentication • Key exchange f

28. Digital Certificates • A digital document certifies the ownership of

    a public key • Algorithms • RSA • ECDSA • ANON • Authentication 28 f Alice Bob

29. Key Exchange / Agreement / Establishment • The methods to

    share same key on insecure channel • Types • RSA based • Diffie-Hellman (DH) based: DH, DHE, ECDH, ECHDE f

30. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f

31. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f Is Bob’s private key always safe for its lifetime?

32. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f Is Bob’s private key always safe for its lifetime?

33. The Heartbleed Bug – CVE-2014-0160 • A buffer over-read vulnerability

    due to missing bounds check in the implementation of the TLS heartbeat extension in the OpenSSL library • Long-lived private key can be compromised in the future

34. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f Is Bob’s private key always safe for its lifetime?

35. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f What If Eve keeps records all communications and obtains the Bob’s private key later? Is Bob’s private key always safe for its lifetime?

36. RSA Key Exchange • Alice encrypts the session key with

    the Bob’s RSA pubic key and send • Only Bob can decrypt it and get the session key f What If Eve keeps records all communications and obtains the Bob’s private key later? Is Bob’s private key always safe for its lifetime?

37. Perfect Forward Secrecy (PFS) 37 • The conversation are kept

    secure even if the long-term private key is compromised in the future To provide PFS • Use temporary session key • Do not save session key in permanent storage f

38. Diffie-Hellman(-Merkle) Key Exchange (DHM, DH) • An method allows two

    parties can have a shared session key over an insecure channel without prior knowledge • Algorithm • based on the discrete logarithm problem • ! = #$ %& = ((%$)%& = ((%&)%$= #& %$ • It’s hard to derive ! with just #& and #$ • Pros • Share a session key through unsafe channel • Perfect forward secrecy 38 f Public

39. Data Integrity • Hash Function • Keyed Hash Function •

    Message Authentication Code (MAC) • Pseudo-Random Functions (PRF) 39 f

40. Hash Function • Any function that maps data of arbitrary

    size to data of a fixed size • Cryptographic Hash Function • It has cryptographic properties • Pre-image resistance • Second pre-image resistance • Collision resistance • MD5, SHA-N, BLAKE2 • Integrity • Anyone can forge any messages • ex) python2 -c "print(hash('1’))” • Always same 40 f

41. Message Authentication Code (MAC) • A secret keyed hash function

    used to protect both a data integrity and its authenticity • Resistant to forgery attack • HMAC, CMAC, Poly1305, SipHash • Integrity and Authentication • ex) python3 -c "print(hash('1’))” • Different per process 41 f

42. TLS 1.2 Handshake Overview 1. Check the certificate of the

    peer 2. Choose a cipher suite that both support 3. Setup and share the parameters and the key of the cipher suite 4. Encrypt / decrypt suing that cipher suite

43. TLS 1.2 Handshake - RSA

44. TLS 1.2 Handshake - DH

45. Transport Layer Security 1.3

46. What’s the better in TLS 1.3? Security Speed

47. Major Difference from TLS 1.2 • 1-RTT handshake • initial

    support for 0-RTT • TLS 1.2 version negotiation mechanisms are deprecated • Split a cipher suite into cipher, key exchange and signature algorithm • All key exchange algorithms provide forward secrecy • EdDSA is added into the signature algorithms • Remove insecure ciphers (CBC-mode, RC4, SHA1, MD5, …) • Only AEAD is allowed for symmetric cryptography • The entire handshake is signed • All handshake messages after ServerHello are encrypted • Elliptic curve algorithms are in the base spec Security Speed

48. Handshakes Comparison • TLS 1.3 reduces 1 RTT TLS 1.2

    Full Handshake TLS 1.3 Full Handshake

49. TLS Resumption • Remember the last connection, and cut short

    the handshake TLS 1.2 – 1-RTT TLS 1.3 – 0-RTT

50. Simplify Negotiation • TLS 1.3 removes many legacy features, and

    split between three orthogonal negotiations

51. Key Exchange Algorithms of TLS 1.3 TLS1.3: All algorithms provide

    forward secrecy TLS 1.2

52. Signature Algorithms TLS 1.2 • RSA • DSA • ECDSA

    TLS 1.3 • RSA • ECDSA • EdDSA

53. Cipher Suites of TLS 1.2

54. Cipher Suites of TLS 1.2

55. Cipher Suites of TLS 1.2

56. Cipher Suites of TLS 1.3 TLS_AEAD_HASH

57. Authenticated Encryption with Associated Data (AEAD) • A form of

    encryption which simultaneously provides confidentiality, integrity, and authenticity on the data • The Attempts using cryptography and MAC before AE • Encrypt-and-MAC (E&M) • Encrypt-then-MAC (EtM) • MAC-then-Encrypt (MtE) • à Error prone and difficult • AD: The data that needs integrity, not confidentiality • ex) header

58. ChaCha20-Poly1305 • AES • AES-CBC • Widely used • Attack

    on CBC mode is emerged • AES-GCM • No known breaks • Slow • Small size nonce (8 bytes) • ChaCha20-Poly1305 • Faster than AES • No known breaks • Chosen by • Google • Cloudflare • TLS 1.3

59. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript

60. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript

61. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript

62. • The server’s signature only covers part of the handshake

    • A Symmetric MAC is used to ensure the integrity • It makes vulnerabilities (FREAK, LogJam, etc.) Signing the Entire Transcript

63. Encryption after ServerHello • TLS 1.3 reduces 1 RTT TLS

    1.2 Full Handshake TLS 1.3 Full Handshake

64. Elliptic Curve Cryptography • Using special computations on elliptic curve

    (!" = $% + '$ + () What is the pros? • Short encryption key • 256 bits are enough to offer 128-bits of security (compare to RSA-3072) • Faster • With 256-bit key is over 20 times faster than RSA-2048 RSA key size (bits) ECC key size (bits) 1024 160 2048 224 3072 256 7680 384 15360 521

65. Famous Elliptic Curves • NIST-p256 • NIST-p384 • NIST-p521 •

    Curve25519 • OpenSSL default • …

66. Elliptic Curve Groups of TLS 1.2 and TLS 1.3

67. Elliptic-Curve Diffie-Hellman Key Exchange (ECDH) • An method allows two

    parties can have a shared secret key over an insecure channel without prior knowledge • Traditional DIffie-Hellman (DH) • ! = #$ %& = ((%$)%& = ((%&)%$= #& %$ • Elliptic-Curve Diffie-Hellman (ECDH) • ! = %& #$ = %& (%$ *) = %$ (%& *) = %$ #& • Pros • Share a session key through unsafe channel • Perfect forward secrecy

68. Why did the TLS finalization take a long time?

69. Why did the TLS finalization take a long time? Because

    of the backward compatibility

70. The Version Negotiation of older TLS • Backward Compatibility of

    TLS 1.0 • SSLv3 = 3.0 = 0x0300 • TLS 1.0 = 3.1 = 0x0301 • TLS 1.1 = 3.2 = 0x0302 • TLS 1.2 = 3.3 = 0x0303 • TLS 1.3 = 3.4 = 0x0304 Client (TLS 1.3) 0x0304 Server (TLS 1.2) 0x0303 0x0303

71. The Version Negotiation of older TLS • Backward Compatibility of

    TLS 1.0 • SSLv3 = 3.0 = 0x0300 • TLS 1.0 = 3.1 = 0x0301 • TLS 1.1 = 3.2 = 0x0302 • TLS 1.2 = 3.3 = 0x0303 • TLS 1.3 = 3.4 = 0x0304 Client (TLS 1.3) 0x0304 Server (TLS 1.2) 0x0303 0x0303 Disconnect

72. Middleboxes

73. Middleboxes

74. Middleboxes

75. Solutions • Make the ClientHello packet of v1.3 look like

    that of v1.2 • Share the supported version list in extension ClientHello legacy_version = 0x0303; /* TLS 1.2 */ SupportedVersions List<ProtocolVersion> versions = { 0x0304, 0x0303, 0x0302 }; /* TLS 1.3, 1,2, 1.1, prefer order */ … ClientHello client_version = 0x0303; /* TLS 1.2 */ … TLS 1.2 TLS 1.3 Extensions

76. TLS 1.3 Deployment

77. TLS 1.3 Deployment

78. Test TLS 1.3

79. Test TLS 1.3

80. Test TLS 1.3

81. DJB • Danial J. Bernstein • Bernstein v. United States

    • Sued for the restriction on the export of cryptography from the United States • SipHash • Curve25519 • ed25519 • ChaCha20 • Poly1305 The reason that the Korean Internet became a ActiveX hell

82. References • https://en.m.wikipedia.org/wiki/Cryptography • https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/ • https://wiki.openssl.org/index.php/TLS1.3 • https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ •

    https://tools.ietf.org/html/rfc8446

83. Candidate for Presentation Items (My interests) • CPU Optimization, Meltdown

    and Spectre • WiFi Network is Insecure, Waiting for WPA3 • VPN • Elliptic Curve Cryptography • ….

84. Thank you

85. Backup Slides

86. Discrete Logarithm Problem • !" = $ %&' ( •

    A, B, x are integers, p is a public prime • A is a public information, B is a public key • It is easy to calculate B from x • It is hard to calculate x from B

87. Pseudo-Random Function (PRF) • A keyed hash function whose output

    looks like random values • MAC + The output should look like random: Stronger than MAC • HMAC, CMAC, Poly1305, SipHash • Integrity, Authentication • != Pseudo-Random Generator (PRG) • PRG: only if the input was chosen at random • PRF: regardless of how the inputs were chosen 87 f

88. The Version Negotiation of older TLS • Backward Compatibility of

    TLS 1.0 • SSLv3 = 3.0 = (3, 0) • TLS 1.0 = 3.1 = (3, 1) • TLS 1.1 = 3.2 = (3, 2) • TLS 1.2 = 3.3 = (3, 3) • Browser’s options • Enable 1.2 àMany sites will stop • Delay the deployment of 1.2 until these servers are fixed • Retry with an older version of TLS if connection fails Client (TLS 1.2) (3, 3) Server (TLS 1.0) (3, 1) (3, 1) Disconnect

89. Padding Oracle On Downgraded Legacy Encryption (POODLE) Fixes • Disable

    SSLv3 on both side • Enable a new TLS feature SCSV • Client mark its supported versions when downgraded • Server can detect the attack

90. Discrete Logarithm on Elliptic Curve • ! = #$ %&'

    ( • P, G is a point with integer coordinate, n is an integer, p is a public prime • G is a public information, P is a public key • It is easy to calculate P from n • It is hard to calculate n from P • Provides same security level with smaller keys

91. Discrete Logarithm on Elliptic Curve • ! = #$ %&'

    ( • P, G is a point with integer coordinate, n is an integer, p is a public prime • G is a public information, P is a public key • It is easy to calculate P from n • It is hard to calculate n from P • Provides same security level with smaller keys

92. Discrete Logarithm on Elliptic Curve • ! = #$ %&'

    ( • P, G is a point with integer coordinate, n is an integer, p is a public prime • G is a public information, P is a public key • It is easy to calculate P from n • It is hard to calculate n from P • Provides same security level with smaller keys

93. Security Level (Bits of security) • n-bit security: 2" operations

    are needed to break it • Sufficient Length • 128 bits of security is sufficient until next revolutionary breakthrough in either mathematics or technology • 112 bits of security is sufficient until 2030 • Symmetric cryptography • Normally equal to the key size • AES-128 (key size 128 bits) offers a 128-bit security level • Asymmetric cryptography • The entropy is decrease because it have to provide asymmetric function • RSA-3072 offers a 128-bit security level

94. TLS Resumption • Remember the last connection, and cut short

    the handshake

95. TLS Resumption • Remember the last connection, and cut short

    the handshake Browser can send only GET requests in 0-RTT