Modern Network Security Mechanisms in Linux

Transcript

1. Modern Network Security Mechansisms in Linux Linuxwochen 2018 1

2. $whoami • Martin Schmiedecker • PhD in computer science from

   TU Wien • Teaching “Digital Forensics” and “Privacy Enhancing Technologies” • Certified expert witness Private: • Member of C3Wien • Old-timer enthusiast • Meme artist • @fr333k (private) 2

3. Motivation 3

4. Motivation 4

5. Motivation Source: Hackers Remotely Kill a Jeep on the Highway

   - With Me in It, Wired 5

6. Outline New & modern network security in Linux: • Layer

   2: MACSec • Layer 3: Wireguard • Layer 4: TLS 1.3 6

7. TL;DR – Networks Source: OSI Model, Wikipedia 7

8. Layer 2 is like

9. 802.1ae MACSec MACSec: • Layer 2! • Encrypts payload using

   GCM-AES-128 • Including IP packets, ARP & DHCP • But only LAN History: • Specified in 2006 by IEEE as 802.1AE • Amendment in 2011 as 802.1AEbn • Part of the Linux kernel since 4.6 (May 2016) 9

10. 802.1ae MACSec Provides: • Confidentiality • Integrity • Replay protection

    10

11. 802.1ae MACSec Security-wise: • Uses GCM-AES-128 and GCM-AES-256 • Authenticated

    encryption == implicit integrity (AEAD) • Can rely on 802.1X for device/user authentication! • But: CVE-2017-7477 heap overflow 11

12. 802.1ae MACSec Use cases: • Shared secret with two hosts

    • PC to PC • switch to switch • n hosts using 802.1X MACsec extension Usage today: • Mostly in carrier-grade, commercial switches • Juniper, Cisco, Huawei, Meraki, HP, … 1.500€+ • VXLAN (RFC 7348) for clouds • Cars, trains, anyone? 12

13. 802.1ae MACSec Local setup: 1. MACSec switch, or 2. All

    hosts with MACSec-agnostic switch Source: “MACsec - Encryption for the wired LAN”, Sabrina Dubroca, NetDev 2016 13

14. 802.1ae MACSec Multi-channel: • Multiple secure channels Source: “MACsec -

    Encryption for the wired LAN”, Sabrina Dubroca, NetDev 2016 14

15. 802.1ae MACSec Upsides: • No cipher agility • Really fast,

    uses AES-NI • Solid crypto • Manageable using 802.1X 15

16. 802.1ae MACSec Downsides: • No cipher agility • Key management

    • Not resistant against traffic analysis • Largely unknown? 16

17. 802.1ae MACSec Howto: host1:~$ ip link add link eth0 macsec0

    type macsec encrypt on host1:~$ ip macsec add macsec0 rx port 1 address C0:FF:EE:C0:FF:EE host1:~$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 -> <128-bit send key> host1:~$ ip macsec add macsec0 rx port 1 address C0:FF:EE:C0:FF:EE -> sa 0 pn 1 on key 01 <128-bit receive key> host1:~$ <add route> Same for host2, done! 17

18. Layer 3 is like

19. WireGuard What is WireGuard? • Highly experimental VPN for layer

    3 • Faster then IPsec • Goals: be fast, slick, lean, compact, elegant 19

20. WireGuard Presented at NDSS conference 2017: • “WireGuard: Next Generation

    Kernel Network Tunnel” • Written & maintained by Jason Donenfeld Inner workings: • Implemented as kernel module • Authentication similar to SSH’s authenticated_keys • Roughly 4,000 LoC • Uses UDP 20

21. WireGuard Source: WireGuard: Next Generation Kernel Network Tunnel 21

22. Wireguard Security: • Modern crypto – Curve25519, ChaCha20/Poly1305, BLAKE2, …

    • Perfect forward secrecy, AEAD, ephemeral Diffie-Hellman, … • Noise protocol: • Designed by Trevor Perrin • NewHope DH: post-quantum • Plenty of implementations available: Rust, Go, … • Used by WhatsApp 22

23. Wireguard Howto: Source: WireGuard: Next Generation Kernel Network Tunnel 23

24. Wireguard Upsides: • Built-in roaming • Modern crypto • Easy

    configuration • So far: well-perceived in the crypto community 24

25. Wireguard Downsides: • Highly experimental • Not yet part of

    Linux kernel • Not yet user-land (Rust & Go) 25

26. Layer 4 is like

27. TLS 1.3 Short history of time: • SSL 1.0-3.0: all

    dead (Export cipher, POODLE, Drown, …) • TLS 1.0, 1.1: minor changes, better not use* • TLS 1.2: can be made to fly Soon: TLS 1.3 • IETF approved • Final version is 28 (see on github) • Mostly implement = draft version 23 27

28. TLS 1.3 ACME v2 & wildcards: Current usage of TLS:

    July 2018, with Chrome v68: 28

29. TLS 1.3 Some ongoing problems: • Interception proxies • Revocation

    (OCSP?) • Email 29

30. TLS 1.3 Some highlights from the standardization process: • Delayed

    for 1y+ because of middle boxes • Fix: make it look like TLS 1.2! • Banking industry tried to bully for static RSA key-exchange (source): 30

31. TLS 1.3 31

32. TLS 1.3 New features: • No more MD5, RC4, SHA1,

    CBC & static RSA handshakes • No compression • No renegotiation • Downgrade protection • Encrypted certificates • One round-trip less • Optional 0-RTT resumption 32

33. TLS 1.3 Already support it: • Chrome, by default since

    v63 • Already 2% of traffic from Cloudflare’s perspective • Firefox, supported since v58 • OpenSSL 1.1.1., BoringSSL, rustls, Go, … • This will change in 2018! 33

34. Summary:

35. Summary To conclude: • Plenty of funky stuff happening •

    Both MACsec & TLS 1.3 will be inevitable Funky future topics: • U2F & WebAuth • libSignal • Ping me if you want to know more 35

36. Thank you for your attention!