Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tetcon-2015 Using TLS correctly

duongkai
January 05, 2015

Tetcon-2015 Using TLS correctly

Presentation @Tetcon 2015

duongkai

January 05, 2015
Tweet

More Decks by duongkai

Other Decks in Programming

Transcript

  1. My job in last 2 years - Securing TLS infrastructure

    for Internet-facing service. - Auditor came. - Hey, you are using weak ciphers. Your traffic is not encrypted. - Okay. I fix it. - Heartbleed on the news. - Hey, you should generate new private keys. - Okay. I fix it. - Thai’s on the news - Hey, you should disable SSLv3. - Okay. I fix it. - Certificates expired. SHA-2 is rolling out - Update nowwww. - Okay. I fix it. 2
  2. Repeated steps... 1. Update the latest version (OS, software). 2.

    Get a 2048-bit Certificates from CA. Better if it supports SHA-256. 3. Analyze legacy. 4. Grab the configuration on the Internet. Apply. 5. Verify TLS configuration with your own hands. 3
  3. When I looked back at Vietnam “Mình đã cấu hình

    nhưng chỉ tắt được SSLv2, SSLv3. Không dùng được TLS" 5
  4. So I did a survey. 1. Dataset - 40 banks

    (one is offline). - 8 payment gateways 2. Qualys SSL Lab API 3. Python scripts 4. During December, 2014 7
  5. Result. Others 1. Support RC4: 37/48 2. Support SSL: 12/48.

    3/48 support SSLv2. 3. BEAST vulnerable: 28/48 4. POODLE TLS: 13/48 9
  6. Result. Others 5. Support PFS: 16/48 6. Support HSTS: 0/48

    7. Support Public key Pinning: 0/48 8. Support SHA256 Certificate: 4/48 10
  7. Result. Something’s weird - One is using 4096 private key.

    - Some sites support only TLSv1.0. - Some sites support only SSLv2.0 and TLSv1.0 11
  8. Data format is confusing - DER Binary. - PEM Base64.

    The most common. - PKCS7 Base64. Contain chains and certificate. - PKCS12 Binary. Contain chains, cert and private key. 15
  9. Ciphersuite DHE-RSA-AES256-SHA - They have orders on both servers and

    clients. - PFS (Perfect Forward Secrecy) - Modern ciphers: ECDHE, AES-GCM - Compatibility: AES-SHA - Weak: 3DES, DES, RC4, MD5. 16
  10. Perfect Forward Secrecy - Ephemeral session key (DHE, ECDHE) -

    Server private key cannot decrypt ephemeral session key. - Support since SSL v3, OpenSSL 1.0.0 - Performance overhead 17
  11. Perfect Forward Secrecy ./cipherscan www.google.com:443 ................... prio ciphersuite protocols pfs_keysize

    1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 3 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 ECDH,P-256,256bits 4 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 5 AES128-GCM-SHA256 TLSv1.2 18
  12. AES Encryption mode • CBC - standard, vulnerable. - AES256-SHA,

    AES128-SHA • GCM - faster, safer. Rare - AES128-GCM-SHA256 • Key length 128-bit is good enough 19
  13. Session resumption • Reuse session secret key because of computation

    costs. • Session IDs were cached on server then sent to client. • Session Ticker session data was encrypted by server, sent to client for resubmission. • Compromise server cache => access session keys 20
  14. HSTS • HSTS (HTTP Strict Transport Security): data is enforced

    to transmit only HTTPS by enable header: “Strict-Transport-Security” • Strict-Transport-Security: max- age=expireTime [; includeSubdomains] • IE supports since v12. Firefox, Chrome support since v4 21
  15. Recap ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt; ssl_dhparam /etc/nginx/ssl/dhparam.pem; #

    Session Resumption ssl_session_timeout 20m; ssl_session_cache shared:SSL:20m; ssl_prefer_server_ciphers on; # Enable OCSP stapling (req. nginx v 1.3.7+) ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128- SHA:DHE-RSA-AES128-SHA:RC4-SHA; … add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; https://gist.github.com/kennwhite/25183c3f05266ee0ad7f 23
  16. But, you know your legacy • Windows XP pre-SP3: SHA1-certs

    and SSLv3 only. • Java 6: No DHE > 1024 bits • Apache and Nginx depend on OpenSSL version. • Commercial products are old. 24
  17. In action • Mozilla TLS guide • Bettercrypto.org • Qualys

    TLS guide • Bulletproof SSL and TLS from Ivan Ristic • Deploy TLS the hardway • Getting an A+ on Qualy's SSL Labs Tester 25