Tetcon-2015 Using TLS correctly

Using TLS Correctly @duongkai

My job in last 2 years - Securing TLS infrastructure
for Internet-facing service. - Auditor came. - Hey, you are using weak ciphers. Your traffic is not encrypted. - Okay. I fix it. - Heartbleed on the news. - Hey, you should generate new private keys. - Okay. I fix it. - Thai’s on the news - Hey, you should disable SSLv3. - Okay. I fix it. - Certificates expired. SHA-2 is rolling out - Update nowwww. - Okay. I fix it. 2

Repeated steps... 1. Update the latest version (OS, software). 2.
Get a 2048-bit Certificates from CA. Better if it supports SHA-256. 3. Analyze legacy. 4. Grab the configuration on the Internet. Apply. 5. Verify TLS configuration with your own hands. 3

When I looked back at Vietnam “Mình đã cấu hình
nhưng chỉ tắt được SSLv2, SSLv3. Không dùng được TLS" 5

In pentest reports 6

So I did a survey. 1. Dataset - 40 banks
(one is offline). - 8 payment gateways 2. Qualys SSL Lab API 3. Python scripts 4. During December, 2014 7

Result. Grading A 2 A- 3 B 24 C 2
F 17 8

Result. Others 1. Support RC4: 37/48 2. Support SSL: 12/48.
3/48 support SSLv2. 3. BEAST vulnerable: 28/48 4. POODLE TLS: 13/48 9

Result. Others 5. Support PFS: 16/48 6. Support HSTS: 0/48
7. Support Public key Pinning: 0/48 8. Support SHA256 Certificate: 4/48 10

Result. Something’s weird - One is using 4096 private key.
- Some sites support only TLSv1.0. - Some sites support only SSLv2.0 and TLSv1.0 11

We need to fix that! 12

History 13

What does TLS offer? - Confidential (Encryption) - Authentication -
Integrity (hash and checksum) 14

Data format is confusing - DER Binary. - PEM Base64.
The most common. - PKCS7 Base64. Contain chains and certificate. - PKCS12 Binary. Contain chains, cert and private key. 15

Ciphersuite DHE-RSA-AES256-SHA - They have orders on both servers and
clients. - PFS (Perfect Forward Secrecy) - Modern ciphers: ECDHE, AES-GCM - Compatibility: AES-SHA - Weak: 3DES, DES, RC4, MD5. 16

Perfect Forward Secrecy - Ephemeral session key (DHE, ECDHE) -
Server private key cannot decrypt ephemeral session key. - Support since SSL v3, OpenSSL 1.0.0 - Performance overhead 17

Perfect Forward Secrecy ./cipherscan www.google.com:443 ................... prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 3 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 ECDH,P-256,256bits 4 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 5 AES128-GCM-SHA256 TLSv1.2 18

AES Encryption mode • CBC - standard, vulnerable. - AES256-SHA,
AES128-SHA • GCM - faster, safer. Rare - AES128-GCM-SHA256 • Key length 128-bit is good enough 19

Session resumption • Reuse session secret key because of computation
costs. • Session IDs were cached on server then sent to client. • Session Ticker session data was encrypted by server, sent to client for resubmission. • Compromise server cache => access session keys 20

HSTS • HSTS (HTTP Strict Transport Security): data is enforced
to transmit only HTTPS by enable header: “Strict-Transport-Security” • Strict-Transport-Security: max- age=expireTime [; includeSubdomains] • IE supports since v12. Firefox, Chrome support since v4 21

Other things • Support HTTP Public key pinning. • Support
OCSP stapling 22

Recap ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt; ssl_dhparam /etc/nginx/ssl/dhparam.pem; #
Session Resumption ssl_session_timeout 20m; ssl_session_cache shared:SSL:20m; ssl_prefer_server_ciphers on; # Enable OCSP stapling (req. nginx v 1.3.7+) ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128- SHA:DHE-RSA-AES128-SHA:RC4-SHA; … add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; https://gist.github.com/kennwhite/25183c3f05266ee0ad7f 23

But, you know your legacy • Windows XP pre-SP3: SHA1-certs
and SSLv3 only. • Java 6: No DHE > 1024 bits • Apache and Nginx depend on OpenSSL version. • Commercial products are old. 24

In action • Mozilla TLS guide • Bettercrypto.org • Qualys
TLS guide • Bulletproof SSL and TLS from Ivan Ristic • Deploy TLS the hardway • Getting an A+ on Qualy's SSL Labs Tester 25

Q&A 26

Tetcon-2015 Using TLS correctly

Tetcon-2015 Using TLS correctly

duongkai

More Decks by duongkai

Other Decks in Programming

Featured

Transcript

Using TLS Correctly @duongkai

My job in last 2 years - Securing TLS infrastructure

Repeated steps... 1. Update the latest version (OS, software). 2.

A+ 4

When I looked back at Vietnam “Mình đã cấu hình

In pentest reports 6

So I did a survey. 1. Dataset - 40 banks

Result. Grading A 2 A- 3 B 24 C 2

Result. Others 1. Support RC4: 37/48 2. Support SSL: 12/48.

Result. Others 5. Support PFS: 16/48 6. Support HSTS: 0/48

Result. Something’s weird - One is using 4096 private key.

We need to fix that! 12

History 13

What does TLS offer? - Confidential (Encryption) - Authentication -

Data format is confusing - DER Binary. - PEM Base64.

Ciphersuite DHE-RSA-AES256-SHA - They have orders on both servers and

Perfect Forward Secrecy - Ephemeral session key (DHE, ECDHE) -

Perfect Forward Secrecy ./cipherscan www.google.com:443 ................... prio ciphersuite protocols pfs_keysize

AES Encryption mode • CBC - standard, vulnerable. - AES256-SHA,

Session resumption • Reuse session secret key because of computation

HSTS • HSTS (HTTP Strict Transport Security): data is enforced

Other things • Support HTTP Public key pinning. • Support

Recap ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt; ssl_dhparam /etc/nginx/ssl/dhparam.pem; #

But, you know your legacy • Windows XP pre-SP3: SHA1-certs

In action • Mozilla TLS guide • Bettercrypto.org • Qualys

Q&A 26