HTTPS & TLS in 2016: Security practices from the front lines

HTTPS & TLS in 2016: Security practices from the front lines

AppSecUSA Washington, DC
October 13, 2016

671d41cff530fadcbc82a5d6e7070c4a?s=128

Kenneth White

October 13, 2016
Tweet

Transcript

  1. 1.

    HTTPS & TLS in 2016 Security prac6ces from the front

    lines Kenneth White, opencryptoaudit.org/people Eric Mill, eric@konklone.com AppSecUSA, Washington October 13, 2016
  2. 2.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs (201) •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  3. 3.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  4. 5.

    Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  5. 6.

    Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  6. 7.

    Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

    tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity
  7. 8.

    If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  8. 9.

    If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  9. 10.

    If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity
  10. 13.
  11. 14.
  12. 15.
  13. 16.
  14. 17.

    Integrity Anyone on the network can freely modify a website

    that isn’t using HTTPS. Using plain HTTP voids any strong privacy or security guarantees a website claims to offer.
  15. 18.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  16. 20.
  17. 21.
  18. 22.
  19. 23.
  20. 24.
  21. 25.
  22. 26.
  23. 27.
  24. 28.
  25. 31.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  26. 32.
  27. 36.
  28. 37.
  29. 38.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  30. 39.
  31. 40.
  32. 41.
  33. 42.
  34. 43.
  35. 44.
  36. 45.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  37. 46.
  38. 47.
  39. 48.
  40. 50.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  41. 51.
  42. 52.
  43. 53.
  44. 54.
  45. 57.

    Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  46. 58.

    Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  47. 59.

    Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  48. 60.

    Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  49. 61.

    Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA
  50. 64.

    Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)
  51. 65.
  52. 66.

    Highly Recommended Qualys SSL Labs hVps://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS

    hVps://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS handshake interac6ve server hVps://tls.openmirage.org/ Adam Langley: Matching primi6ve strengths hVps://www.imperialviolet.org/2014/05/25/strengthmatching.html
  53. 67.

    Highly Recommended Mozilla Server-Side TLS/SSL Config Generator hVps://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Security/Server-Side

    TLS Wiki hVps://wiki.mozilla.org/Security/Server_Side_TLS ScoV Helme: Windows TLS config hVps://scoVhelme.co.uk/gecng-an-a-on-the-qualys-ssl-test-windows-edi6on/ ScoV Helme: Let’s Encrypt ECDSA cer6ficates hVps://scoVhelme.co.uk/ecdsa-cer6ficates/
  54. 68.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  55. 70.

    OpenSSL 1.1 Audit Directed by the Open Crypto Audit Project

    (opencryptoaudit.org) Commissioned by Linux Founda6on’s Core Infrastructure IniVaVve (CII) Ambi6ous Scope Independent review Coordina6ng closely with OpenSSL core team Delayed for v. 1.1 maturity (significant refactor) Diverse, complex codebase: Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris) Intel x86 (incl. AES-NI), ARM6/7, MIPS, PowerPC, Alpha… FIPS module
  56. 71.

    OpenSSL 1.1 Audit Major Goals –  Thorough public security analysis

    of the core code in the next major release of OpenSSL –  Demonstrate viability of a reusable open source test harness framework –  Foster web-scale peer-reviewed public tools & data sets for protocol & nego6a6on analysis
  57. 72.

    OpenSSL 1.1 Audit Phase 1 Goals •  BigNum: multiprecision ints,

    constant time, blinding •  BIO (focus on composition & file functions) •  ASN.1 & x509 (cert & key parsing, DER/PEM decoding, structs, subordinate chains) •  93M cert corpus, “Frankencert” fuzzing
  58. 73.

    OpenSSL 1.1 Audit Phase 2 Goals •  TLS state machine

    •  EVP (PKI constructions, H/MACs, envelopes) •  Protocol flows, core engine implementation •  Memory management •  Crypto core (RSA, SHA-2, DH/ECDH, CBC, GGM…)
  59. 76.

    OpenSSL 1.1 Audit Refactored: BIO networking library (full support for

    IPv6) EVP Bignum Core data structures Record Layer rewrite SSL/TLS state machine Version nego6a6on
  60. 77.

    OpenSSL 1.1 Audit Removed: SSLv2 40- and 56-bit cipher support

    FIPS 140-2 module (but coming soon: hVps://www.openssl.org/blog/blog/2016/07/20/fips/) Kerberos ciphersuite support Removed from DEFAULT ciphersuites: RC4
  61. 78.

    OpenSSL 1.1 Audit Added: AFALG engine (Linux userspace hardware crypto

    via netlink: hVps://lwn.net/Ar6cles/410763/) Asynchronous crypto opera6ons (libcrypto and libssl) CCM (authen6cated) block cipher mode ChaCha/Poly (see: hVps://news.ycombinator.com/item?id=10710140) HKDF (HMAC-based Extract-and-Expand Key Deriva6on Func6on) OCB (authen6cated) block cipher mode Pipelining, Threading API Scrypt Curve25519: (see: hVps://www.ieo.org/mail-archive/web/cfrg/current/msg04996.html)
  62. 80.

    Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
  63. 82.

    HTTPS & TLS in 2016 Security prac6ces from the front

    lines Kenn White, admin@opencryptoaudit.org Eric Mill, eric@konklone.com