The first few milliseconds of HTTPS - PHPNW16

The first few milliseconds of HTTPS
1
Joshua Thijssen
JayTaph

View Slide

HTTPS ==
HTTP on top of TLS
2

View Slide

Transport Layer Security
(TLS)
3

View Slide

Secure Socket Layer
(SSL)
4
A short and scary history

View Slide

then
now
5

View Slide

then
now
SSL 1.0
Vaporware
1994
5

View Slide

then
now
feb
1995
SSL 2.0
Not-so-secure-socket-layer
SSL 1.0
Vaporware
1994
5

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
SSL 1.0
Vaporware
1994
5

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
SSL 1.0
Vaporware
1994
5

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
SSL 1.0
Vaporware
1994
5

View Slide

then
now
feb
1995
SSL 2.0
jun
1996
SSL 3.0
Something stable!
jan
1999
TLS 1.0
SSL 3.1
apr
2006
TLS 1.1
TLS 1.2
aug
2008
SSL 1.0
Vaporware
1994
5

View Slide

https://www.trustworthyinternet.org/ssl-pulse/
25,7%
99,6% 99,3%
18,2% 20,7%
SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
6
November 2013

View Slide

https://www.trustworthyinternet.org/ssl-pulse/
25,7%
99,6% 99,3%
18,2% 20,7%
6
November 2013
6,9%
21,4%
96,2%
77,6% 80,0%
September 2016

View Slide

7

View Slide

RFC 5246
(TLS v1.2)
8

View Slide

➡ Authenticate and exchange information.
➡ Exchange a key (through a public key
system).
➡ Create "tunnel" with symmetric encryption
(both sides use the same exchanged key).
9

View Slide

10
https://github.com/vincentbernat/rfc5077/blob/master/ssl-handshake.svg

View Slide

Attention:
(live)
wiresharking
up ahead
11

View Slide

12

View Slide

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
13

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
14

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
Cipher for exchanging
key information
14

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
key information
Cipher for
authenticating key
information
14

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
key information
Cipher for
authenticating key
information
Actual cipher (and
length) used for
communication
14

View Slide

TLS
ECDHE_ECDSA
WITH
AES_128_GCM
SHA256
key information
Cipher for
authenticating key
information
Hash algo for message
authenticating
Actual cipher (and
length) used for
communication
14

View Slide

TLS_RSA_WITH_AES_256_CBC_SHA256
15

View Slide

TLS_NULL_WITH_NULL_NULL
16

View Slide

Client gives cipher options,
Server ultimately decides on cipher!
17

View Slide

THIS IS WHY YOU SHOULD ALWAYS
CONFIGURE YOUR CIPHERS
ON YOUR WEB SERVER!
18
Unknown fact!

View Slide

19
https://cipherli.st
Gives you strong cipher configuration
webservers (apache,nginx etc)
and other software.

View Slide

https://www.ssllabs.com/ssltest/
20

View Slide

21

View Slide

22

View Slide

23
➡ SNI (Server Name Indication)
➡ Extension 0x0000
➡ Pretty much every decent browser / server / os
➡ Except:
IE6, Win XP, Blackberry, Android 2.x, java 1.6.x

View Slide

24

View Slide

What an SSL certificate is NOT:
25
➡ SSL certificate (but a X.509 certificate)
➡ Automatically secure
➡ Automatically trustworthy
➡ In any way better self-signed certificates
➡ Cheap

View Slide

What an SSL certificate is:
26
➡ The best way (but not perfect) to prove authenticity
➡ A way to bootstrap encrypted communication
➡ Misleading
➡ (Too) Expensive

View Slide

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:00:93:10:d2:06:db:e3:37:55:35:80:11:8d:dc:87
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA
Validity
Not Before: Apr 8 00:00:00 2014 GMT
Not After : Apr 12 12:00:00 2016 GMT
Subject: ... C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:d4:dc:3c:af:fd:f3:4e:ed:c1:67:ad:e6:cb:
22:e8:b7:e2:ab:28:f2:f7:dc:62:70:08:d1:0c:af:
.......
67:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:github.com, DNS:www.github.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
6f:e7:6d:cb:82:f3:ef:90:87:09:d7:0f:15:22:2c:8c:fe:d3:
ab:1c:8a:96:db:5d:12:5d:d1:78:c0:31:b0:ff:45:c8:89:f7:
08:98:52:17:1f:4c:4b:20:64:6a:6d:db:50:d7:10:be:7e:ab:
......
ee:b7:33:69
27

View Slide

28
yourdomain.com

View Slide

28
yourdomain.com
Intermediate
CA

View Slide

28
yourdomain.com
Root
CA
Intermediate
CA

View Slide

29
IMPLIED TRU$T

View Slide

➡ (Root) Certificate Authorities
➡ They are built into your browser / OS
and you will automatically trust them.
30

View Slide

31
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l

View Slide

31
wget http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -O - -q | grep Issuer | sort | uniq | wc -l
176
And rising...

View Slide

32

View Slide

32
➡ X.509 certificates are used to authenticate
the server.

View Slide

32
the server.
➡ Servers can ask clients to authenticate
themselves as well.

View Slide

32
the server.
➡ Servers can ask clients to authenticate
themselves as well.
➡ APIs

View Slide

Sending over
our initial secret data
33

View Slide

➡ Client generates random key (pre-shared key).
➡ Client encrypts key with public key from
server SSL certificate.
➡ Client sends encrypted key to server.
➡ Server decrypts key.
34
RSA

View Slide

➡ Server generates key pair
➡ Server sends public key to client, with
signature to prove authenticity (pub key
from SSL certificate)
➡ Client generates key pair
➡ Client sends public key to server
➡ Both server and client calculate "secret".
35
(Elliptic curve) Difﬁe-Hellman (ephemeral)

View Slide

36

View Slide

37
Generating secrets:

View Slide

37
pre master secret
Generating secrets:

View Slide

37
pre master secret server rand
client rand
Generating secrets:
+ +

View Slide

37
client rand
master secret
Generating secrets:
+ +

View Slide

37
client rand
master secret
master secret server rand client rand
Generating secrets:
+ +
+
+

View Slide

37
client rand
master secret
key buffer
Generating secrets:
+ +
+
+

View Slide

37
client rand
master secret
client MAC client KEY client IV server MAC server KEY server IV
key buffer
Generating secrets:
+ +
+
+

View Slide

https://github.com/jaytaph/TLS-decoder
38
http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php/
Try it yourself, php style:

View Slide

39

View Slide

40

View Slide

41

View Slide

42
Wireshark CAN decrypt your HTTPS trafﬁc
Unknown fact!
SSLKEYLOGFILE
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415

View Slide

43
launchctl setenv SSLKEYLOGFILE /tmp/keylog.secret
on a mac:

View Slide

-ETOOMUCHINFO
44

View Slide

➡ TLS has overhead in computation and
transfers. But definitely worth it.
➡ Google likes it.
➡ Some cipher suites are better, but slower.
➡ Speed / Security compromise
➡ (try: “openssl speed”)
45

View Slide

https://tools.ietf.org/html/rfc7457
46
Summarizing Known Attacks on Transport Layer Security (TLS)
and Datagram TLS (DTLS)

View Slide

TLS 1.3
47

View Slide

48
➡ Still in draft
➡ 1-RTT (initial 0-RTT) for handshakes
➡ Dropped insecure features

View Slide

49
https://www.ssllabs.com/projects/best-practices/index.html

View Slide

http://farm1.static.ﬂickr.com/73/163450213_18478d3aa6_d.jpg 50

View Slide

51
Find me on twitter: @jaytaph
Find me for development and training: www.noxlogic.nl
Find me on email: [email protected]
Find me for blogs: www.adayinthelifeof.nl

View Slide

The first few milliseconds of HTTPS - PHPNW16

The first few milliseconds of HTTPS - PHPNW16

Joshua Thijssen

More Decks by Joshua Thijssen

Other Decks in Technology

Featured

Transcript