Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Modern Network Security Mechanisms in Linux

Modern Network Security Mechanisms in Linux

Presentation at the Linuxwochen Wien 2018 #lww18.

May contain traces of MACSec (802.1ae), Wireguard and TLS 1.3.

Ca120f0a7176fea8160ba912f69b11f6?s=128

Martin Schmiedecker

May 04, 2018
Tweet

Transcript

  1. Modern Network Security Mechansisms in Linux Linuxwochen 2018 1

  2. $whoami • Martin Schmiedecker • PhD in computer science from

    TU Wien • Teaching “Digital Forensics” and “Privacy Enhancing Technologies” • Certified expert witness Private: • Member of C3Wien • Old-timer enthusiast • Meme artist • @fr333k (private) 2
  3. Motivation 3

  4. Motivation 4

  5. Motivation Source: Hackers Remotely Kill a Jeep on the Highway

    - With Me in It, Wired 5
  6. Outline New & modern network security in Linux: • Layer

    2: MACSec • Layer 3: Wireguard • Layer 4: TLS 1.3 6
  7. TL;DR – Networks Source: OSI Model, Wikipedia 7

  8. Layer 2 is like

  9. 802.1ae MACSec MACSec: • Layer 2! • Encrypts payload using

    GCM-AES-128 • Including IP packets, ARP & DHCP • But only LAN History: • Specified in 2006 by IEEE as 802.1AE • Amendment in 2011 as 802.1AEbn • Part of the Linux kernel since 4.6 (May 2016) 9
  10. 802.1ae MACSec Provides: • Confidentiality • Integrity • Replay protection

    10
  11. 802.1ae MACSec Security-wise: • Uses GCM-AES-128 and GCM-AES-256 • Authenticated

    encryption == implicit integrity (AEAD) • Can rely on 802.1X for device/user authentication! • But: CVE-2017-7477 heap overflow 11
  12. 802.1ae MACSec Use cases: • Shared secret with two hosts

    • PC to PC • switch to switch • n hosts using 802.1X MACsec extension Usage today: • Mostly in carrier-grade, commercial switches • Juniper, Cisco, Huawei, Meraki, HP, … 1.500€+ • VXLAN (RFC 7348) for clouds • Cars, trains, anyone? 12
  13. 802.1ae MACSec Local setup: 1. MACSec switch, or 2. All

    hosts with MACSec-agnostic switch Source: “MACsec - Encryption for the wired LAN”, Sabrina Dubroca, NetDev 2016 13
  14. 802.1ae MACSec Multi-channel: • Multiple secure channels Source: “MACsec -

    Encryption for the wired LAN”, Sabrina Dubroca, NetDev 2016 14
  15. 802.1ae MACSec Upsides: • No cipher agility • Really fast,

    uses AES-NI • Solid crypto • Manageable using 802.1X 15
  16. 802.1ae MACSec Downsides: • No cipher agility • Key management

    • Not resistant against traffic analysis • Largely unknown? 16
  17. 802.1ae MACSec Howto: host1:~$ ip link add link eth0 macsec0

    type macsec encrypt on host1:~$ ip macsec add macsec0 rx port 1 address C0:FF:EE:C0:FF:EE host1:~$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 -> <128-bit send key> host1:~$ ip macsec add macsec0 rx port 1 address C0:FF:EE:C0:FF:EE -> sa 0 pn 1 on key 01 <128-bit receive key> host1:~$ <add route> Same for host2, done! 17
  18. Layer 3 is like

  19. WireGuard What is WireGuard? • Highly experimental VPN for layer

    3 • Faster then IPsec • Goals: be fast, slick, lean, compact, elegant 19
  20. WireGuard Presented at NDSS conference 2017: • “WireGuard: Next Generation

    Kernel Network Tunnel” • Written & maintained by Jason Donenfeld Inner workings: • Implemented as kernel module • Authentication similar to SSH’s authenticated_keys • Roughly 4,000 LoC • Uses UDP 20
  21. WireGuard Source: WireGuard: Next Generation Kernel Network Tunnel 21

  22. Wireguard Security: • Modern crypto – Curve25519, ChaCha20/Poly1305, BLAKE2, …

    • Perfect forward secrecy, AEAD, ephemeral Diffie-Hellman, … • Noise protocol: • Designed by Trevor Perrin • NewHope DH: post-quantum • Plenty of implementations available: Rust, Go, … • Used by WhatsApp 22
  23. Wireguard Howto: Source: WireGuard: Next Generation Kernel Network Tunnel 23

  24. Wireguard Upsides: • Built-in roaming • Modern crypto • Easy

    configuration • So far: well-perceived in the crypto community 24
  25. Wireguard Downsides: • Highly experimental • Not yet part of

    Linux kernel • Not yet user-land (Rust & Go) 25
  26. Layer 4 is like

  27. TLS 1.3 Short history of time: • SSL 1.0-3.0: all

    dead (Export cipher, POODLE, Drown, …) • TLS 1.0, 1.1: minor changes, better not use* • TLS 1.2: can be made to fly Soon: TLS 1.3 • IETF approved • Final version is 28 (see on github) • Mostly implement = draft version 23 27
  28. TLS 1.3 ACME v2 & wildcards: Current usage of TLS:

    July 2018, with Chrome v68: 28
  29. TLS 1.3 Some ongoing problems: • Interception proxies • Revocation

    (OCSP?) • Email 29
  30. TLS 1.3 Some highlights from the standardization process: • Delayed

    for 1y+ because of middle boxes • Fix: make it look like TLS 1.2! • Banking industry tried to bully for static RSA key-exchange (source): 30
  31. TLS 1.3 31

  32. TLS 1.3 New features: • No more MD5, RC4, SHA1,

    CBC & static RSA handshakes • No compression • No renegotiation • Downgrade protection • Encrypted certificates • One round-trip less • Optional 0-RTT resumption 32
  33. TLS 1.3 Already support it: • Chrome, by default since

    v63 • Already 2% of traffic from Cloudflare’s perspective • Firefox, supported since v58 • OpenSSL 1.1.1., BoringSSL, rustls, Go, … • This will change in 2018! 33
  34. Summary:

  35. Summary To conclude: • Plenty of funky stuff happening •

    Both MACsec & TLS 1.3 will be inevitable Funky future topics: • U2F & WebAuth • libSignal • Ping me if you want to know more 35
  36. Thank you for your attention!