Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLS 1.3 @ 33c3

TLS 1.3 @ 33c3

The ins and outs of the new big revision of TLS, from the perspective of who deployed it.

https://media.ccc.de/v/33c3-8348-deploying_tls_1_3_the_great_the_good_and_the_bad

Filippo Valsorda

December 27, 2016
Tweet

More Decks by Filippo Valsorda

Other Decks in Programming

Transcript

  1. TLS 1.3
    Nick Sullivan Filippo Valsorda
    @grittygrease @FiloSottile

    View full-size slide

  2. 1994 — SSLv2
    1995 — SSLv3
    1999 — TLS 1.0
    2006 — TLS 1.1
    2008 — TLS 1.2

    3

    View full-size slide

  3. 7
    Client Hello
    Supported cipher suites
    Client Server
    Server Hello
    Chosen cipher suite
    Key share
    Certificate & signature
    Key share
    Finished
    Finished
    HTTP GET
    HTTP Answer
    TLS 1.2 ECDHE

    View full-size slide

  4. TLS 1.2 ECDHE
    8

    View full-size slide

  5. TLS 1.0, 1.1 and 1.2 are not that different
    TLS 1.3 is a BIG jump
    9

    View full-size slide

  6. 11
    Client Hello
    Supported AEAD /
    groups / signatures
    Key share
    Server Hello
    Chosen AEAD
    Key share
    Finished
    Certificate & signature
    Finished
    HTTP GET
    HTTP Answer
    TLS 1.3
    Client Server

    View full-size slide

  7. 13
    Client Hello
    Supported AEAD /
    groups / signatures
    Key share
    Hello Retry Request
    Chosen group
    Cookie
    Hello Retry Request
    Client Server
    Client Hello
    Cookie
    Other key share
    Server Hello
    Chosen AEAD
    Key share
    Certificate & signature
    Finished

    View full-size slide

  8. Resumption
    “Hey, I know you!”
    14

    View full-size slide

  9. 15
    Client Hello
    Supported cipher suites
    Client Server
    Server Hello
    Session ID
    Key share
    Finished
    Finished
    HTTP GET
    HTTP Answer
    TLS 1.2 ECDHE
    New Session Ticket

    View full-size slide

  10. 16
    Client Hello
    Session ID / Ticket
    Server Hello
    Finished
    Finished
    HTTP GET
    HTTP Answer
    TLS 1.2 Resumption
    Client Server

    View full-size slide

  11. 17
    Client Hello
    Session Ticket (PSK)
    Server Hello
    Finished
    TLS 1.3 Resumption
    Client Server
    Finished
    HTTP GET
    HTTP Answer

    View full-size slide

  12. 18
    Client Hello
    Session Ticket (PSK)
    Forward Secrecy
    Client Server
    Decrypt this with the
    session ticket key
    Server Hello
    Finished
    Finished
    HTTP GET
    HTTP Answer

    View full-size slide

  13. 19
    Client Hello
    Session Ticket (PSK)
    Key share
    PSK-ECDHE
    Client Server
    Finished
    HTTP GET
    HTTP Answer
    Server Hello
    Key share
    Finished

    View full-size slide

  14. 21
    Client Hello
    Session Ticket (PSK)
    Key share
    Server Hello
    Key share
    Finished
    HTTP GET
    HTTP Answer
    0-RTT
    Client Server
    Finished

    View full-size slide

  15. 0-RTT!
    But…
    22

    View full-size slide

  16. 0-RTT
    23
    No PSK-ECDHE

    View full-size slide

  17. 24
    Client Hello
    Session Ticket (PSK)
    Key share
    Server Hello
    Key share
    Finished
    HTTP GET
    HTTP Answer
    Client Server
    Finished
    Forward secret from here
    0-RTT w/ ECDHE

    View full-size slide

  18. TLS 1.2 is forward secret:
    • Relatively to the certificate: always (using ECDHE)
    • Relatively to the ticket key: never
    25
    TLS 1.3 is forward secret:
    • Relatively to the certificate: always
    • Relatively to the ticket key: except 0-RTT early data (w/ PSK-ECDHE)

    View full-size slide

  19. 0-RTT
    26
    Replays

    View full-size slide

  20. 27
    Client Hello
    Session Ticket (PSK)
    Key share
    HTTP GET
    0-RTT replay
    Client Hello
    Session Ticket (PSK)
    Key share
    HTTP GET

    View full-size slide

  21. obfuscated_ticket_age
    • The client sends the age in milliseconds of the ticket
    • The server checks it matches its view, with some leeway
    • Obfuscated with a ticket_age_add value sent as part of
    the New Session Ticket message
    struct {
    opaque identity<1..2^16-1>;
    uint32 obfuscated_ticket_age;
    } PskIdentity;
    28

    View full-size slide

  22. 29
    0-RTT confirmation
    Client Hello
    Session Ticket (PSK)
    Key share
    Server Hello
    Key share
    Finished
    HTTP POST
    Finished
    HTTP POST
    HTTP Answer

    View full-size slide

  23. max_early_data_size
    • The server must either accept or reject the early data,
    entirely, without knowing how much there will be
    • If it accepts it and can’t process it, it must buffer it
    • Once the Finished comes, all early data is confirmed
    • max_early_data_size limits the buffer size
    • Devised with Drew Springall
    30

    View full-size slide

  24. It’s the application’s responsibility
    31
    Protocols MUST NOT use 0-RTT data
    without a profile that defines its use.

    View full-size slide

  25. It’s the API’s responsibility
    32
    • Default to 1-RTT
    • Allow the server to reject / wait for the Finished
    • Let the client to decide what to send in the early data

    View full-size slide

  26. HTTP and 0-RTT
    33
    • Utopia: GET is idempotent!
    • Reality: nope.
    GET /send_money.php?to=filippo&amount=1000

    View full-size slide

  27. HTTP and 0-RTT
    34
    • Utopia: GET is idempotent!
    • Reality: nope.

    View full-size slide

  28. HTTP and 0-RTT
    35

    View full-size slide

  29. 36
    Complexity Benefit

    View full-size slide

  30. No Forward Secrecy
    37
    Client Hello
    Supported cipher suites Server Hello
    Chosen cipher suite
    Certificate
    encrypted with
    Certificate Public Key
    Finished
    Finished
    TLS 1.2 Static RSA mode

    View full-size slide

  31. To: IETF TLS 1.3 Working Group Members
    My name is Andrew Kennedy and I work at BITS, the technology policy division of the
    Financial Services Roundtable (http://www.fsroundtable.org/bits). My organization
    represents approximately 100 of the top 150 US-based financial services companies
    including banks, insurance, consumer finance, and asset management firms.
    [...]
    Deprecation of the RSA key exchange in TLS
    1.3 will cause significant problems for
    financial institutions, almost all of whom
    are running TLS internally and have
    significant, security-critical investments in
    out-of-band TLS decryption.
    [...]
    38

    View full-size slide

  32. 39
    Out-of-band TLS decryption?
    Yes, please!

    View full-size slide

  33. Hi Andrew,
    My view concerning your request: no.
    Rationale: We're trying to build a more
    secure internet.
    Meta-level comment:
    You're a bit late to the party. We're metaphorically speaking at the stage of emptying the ash trays and hunting
    for the not quite empty beer cans.
    More exactly, we are at draft 15 and RSA key transport disappeared from the spec about a dozen drafts ago. I know
    the banking industry is usually a bit slow off the mark, but this takes the biscuit.
    Cheers,
    Kenny
    40

    View full-size slide

  34. MD5 & SHA1
    SLOTH 2016

    View full-size slide

  35. AES-CBC
    Vaudenay 2002
    Boneh/Brumley 2003
    BEAST 2011
    Lucky13 2013
    POODLE 2014
    Lucky Microseconds 2015

    View full-size slide

  36. RSA-PKCS1-1.5
    Bleichenbacher 1998(!!)
    Jager 2015
    DROWN 2016

    View full-size slide

  37. Compression
    CRIME 2012

    View full-size slide

  38. Renegotiation
    Marsh Ray Attack 2009
    Renegotiation DoS 2011
    Triple Handshake 2014
    Replaced with lightweight key update

    View full-size slide

  39. Lucky 13
    RC4 Weakness
    POODLE
    Vaudenay Padding Oracle
    BEAST
    CRIME
    BREACH
    WeakDH
    FREAK
    SLOTH
    Lucky Microseconds
    DROWN
    LogJam

    View full-size slide

  40. TLS 1.2 Certificate Authentication
    • Cipher negotiation protected by Finished Message (MAC)
    • MAC algorithm determined by cipher negotiation
    • FREAK, LogJam, CurveSwap: choose weak parameters
    53

    View full-size slide

  41. 54
    Client Hello
    Supported cipher suites
    Client Server
    Server Hello
    Chosen cipher suite
    Key share
    Certificate & signature
    Key share
    Finished
    Finished
    HTTP GET
    HTTP Answer
    TLS 1.2 ECDHE
    NOT SIGNED

    View full-size slide

  42. 55
    Client Hello
    Supported AEAD /
    groups / signatures
    Key share
    Server Hello
    Chosen AEAD
    Key share
    Finished
    Certificate
    Signature
    Finished
    HTTP GET
    HTTP Answer
    TLS 1.3
    Client Server
    }

    View full-size slide

  43. Fewer, better choices
    • Key Exchange, Cipher, Authentication negotiated separately
    • No arbitrary DH groups
    • No arbitrary curves
    56

    View full-size slide

  44. Safer Resumption
    TLS 1.2 tickets
    • Current session keys encrypted with session ticket key
    • Session ticket key compromise a risk for all connections
    TLS 1.3 tickets
    • Next session keys encrypted with session ticket key
    • Session ticket key compromise only risk for resumed connections
    60

    View full-size slide

  45. 61
    Client Hello
    Supported cipher suites
    Client Server
    Server Hello
    Session ID
    Key share
    Finished
    Finished
    HTTP GET
    HTTP Answer
    TLS 1.2 ECDHE
    New Session Ticket
    Unencrypted

    View full-size slide

  46. Formal Verification
    • Tamarin (Oxford, Royal Holloway)
    • ProScript-TLS, miTLS (INRIA)
    • nqsb-TLS (Cambridge)
    62

    View full-size slide

  47. Standards
    The IETF way
    63

    View full-size slide

  48. Timeline
    • First Draft: April 17, 2014
    • 3Shake, POODLE, FREAK, LogJam, DROWN, Lucky Microseconds, SLOTH, more…
    • Draft 18: October 26, 2016
    • Final draft: February, 2017 (we hope)
    • TLS 1.2: 79 pages
    • TLS 1.3: 81 pages (minus references and appendices)
    65

    View full-size slide

  49. 66
    Github + Mailing List

    View full-size slide

  50. Key Schedule
    • Inspired by QUIC crypto
    • Semi-static DH key shared out of band
    • Tree-based key schedule
    67

    View full-size slide

  51. 0
    |
    v
    PSK -> HKDF-Extract
    |
    +-----> Derive-Secret() = early_traffic_secret
    |
    v
    (EC)DHE -> HKDF-Extract
    |
    +-----> Derive-Secret() = handshake_traffic_secret
    |
    v
    0 -> HKDF-Extract
    |
    +-----> Derive-Secret() = traffic_secret_0
    |
    +-----> Derive-Secret() = resumption_master_secret

    View full-size slide

  52. What's in a name?
    Is it TLS 1.3, TLS 2, TLS 2.0, TLS 4, TLS 7, TLS 2017?
    69

    View full-size slide

  53. Version Intolerance
    • Wire versions
    • SSL 3.0: 3.0
    • TLS 1.0: 3.1
    • TLS 1.1: 3.2
    • TLS 1.2: 3.3
    • TLS 1.3: 3.4 ???
    • Servers are intolerant of 3.4
    • >2% of servers fail connection
    • Solution: “3.3” in ClientHello,

    real versions in extension
    • GREASE by David Benjamin
    71

    View full-size slide

  54. Version Intolerance
    72

    View full-size slide

  55. Implementation
    Getting our hands dirty
    73

    View full-size slide

  56. IETF 95 Hackathon - April 2016
    • NSS (C): Martin Thomson and Eric Rescorla
    • Mint (Go): Richard Barnes and Nick Sullivan
    Result:
    Firefox was able to load https://tls13.cloudflare.com!
    74

    View full-size slide

  57. 75
    • Based on Go crypto/tls
    • Server only
    • Audited

    View full-size slide

  58. https://go-review.googlesource.com/q/branch:+dev.tls
    76

    View full-size slide

  59. Deploying is hard
    77
    • First deployed Tris: draft 13
    • Supported multiple drafts at a time (“hybrids”)
    • Browsers sometimes… diverged

    View full-size slide

  60. You may already be using it
    • Firefox Nightly
    • Chrome Beta (50%) / Canary
    79

    View full-size slide

  61. 80
    Chrome Field Test
    Firefox Nightly
    Cloudflare Launch

    View full-size slide

  62. Nick Sullivan Filippo Valsorda
    @grittygrease @FiloSottile
    https://tlswg.github.io/tls13-spec/
    https://github.com/cloudflare/tls-tris
    https://blog.cloudflare.com/tag/tls-1-3/

    View full-size slide

  63. Y U NO ENCRYPT SNI!?
    82

    View full-size slide

  64. 83
    Client Hello
    SNI
    Key share
    Server Hello
    Key share
    Certificate & signature
    Finished
    TLS 1.3 can’t encrypt SNI
    No key negotiated yet
    Already has to pick certificate

    View full-size slide