What is Perfect Forward Secrecy?

Transcript

1. What is Perfect Forward Secrecy? And how SSL/TLS works by

   the way? Jérémy Courtial

2. “Ubikube server’s keys stolen. Communications compromised.” Those noobs should have

   used Perfect Forward Secrecy. KevBoy65 ECDHE bitches… HanSauron McFly The Internet is fundamentally flawed. By centralizing sensitive data and building security features around a pair of keys, this sort of issue will continue to happen. We need to enforce Perfect Forward Secrecy across the whole web. DrCrypto What is Ubikube ? Auntie I’ve find a way to earn 50 000$ per week. Click here. NotSoSubtleBot

3. Perfect what? • “Perfect Forward Secret” & “Elliptic Curves” were

   the 2013 security buzzwords • Twitter, Google, Github proudly use them • Thank NSA for the show

4. SSL/TLS • Transport Layer Security (SSL successor) • Provides a

   secure communication channel • Transparently encapsulates other Application protocols • The “S” in HTTPS

5. TCP/IP model Physical / Link Network (IP) Transport (TCP/UDP) HTTP

   FTP ... TLS

6. TLS blocks X.509 Certificates Key exchange Server and client (optional)

   authentication Data encryption Encryption key exchange Symmetric cryptography

7. Key Exchange • Client and server need a shared key

   in order to encrypt communication • How to exchange it while avoiding MITM attacks? ◦ RSA ◦ Diffie–Hellman

8. Handshake (RSA) Client Hello + Random value Server Hello +

   Certificate + Random value Encrypts it with server public key (Pre-master secret) + Finished Generates a pre-master secret Checks server certificate Decrypts pre-master secret Generates master key from the pre-master secret and the random values Generates master key from the pre-master secret and the random values Finished Client Server

9. That seems pretty safe! So what?

10. So what? • The pre-master secret is transmitted • Communications

    can be recorded • One day, someone will crack/steal the server private key

11. Perfect Forward Secrecy • Secrets should remains secrets • If

    the private key is compromised, past communications shouldn’t be compromised • Don’t use the private key for key exchange ◦ Better : don’t exchange a key

12. Diffie–Hellman • Another key exchange method ( ≠ RSA )

    • Generates a secret key on both sides without need of encryption or prior knowledge • Each key is independant from the previous ones

13. DH Ephemeral p, g A B s = Ba mod

    p s = Ab mod p A = ga mod p B = gb mod p Choose a Choose b Client Server

14. Perfect Forward Secrecy • The private key is not used

    anymore for encryption • Attacker must crack DHE for each communication • Discrete logarithm problem (ie. take a LOT of time)

15. Performance • Caveat : DHE is much slower than RSA

    (+300%) • Use DHE with Elliptic Curves (+15% - +30% only) • ECDHE based on “algebraic structure of elliptic curves over finite fields” • Go to Wikipedia for Elliptic Curves...

16. Usage • Used only by 9% of the websites •

    ECDHE only supported by recent browsers • Could be the norm in TLS 1.3

17. Challenges • Websites often used abbreviated TLS sessions for performance

    ◦ Session ID ◦ Session Ticket • Must be adapted for PFS

18. Session ID • Server stores previous TLS sessions in order

    to restore them quickly • For PFS, sessions need to be cached in memory with no swap • Cache should turn frequently (ex: every day)

19. Session Tickets • Full TLS session stored encrypted on the

    client side. Used to resume previous session. • Previous key needed in order to decrypt sessions. Shared across multi servers. • Issue : no shared key with PFS

20. Session Tickets & PFS Frontend server Session Key Generator server

    /tmpfs/key_4484565 key_4455669 key_4425484 Frontend server Frontend server ... SSH with DH Generates a new key every 12h Removes old keys after 36h Keys fetched every 5min Considered current after 20min Based on Twitter article “Forward Secrecy at Twitter”

21. HTTP & TLS • “Strict Transport Security” header • Forces

    HTTPS for future requests Strict-Transport-Security: max-age=2592000; includeSubDomains

22. HTTP & TLS • Certificate pinning through header • Associates

    the host with the certificate Public-Key-Pins: max-age=2592000; pin-sha256="4n972H... yw4uqe/baXc="

23. HTTP & TLS • HTTPS is now the norm •

    TLS mandatory for HTTP 2? ◦ Technical and legal implications ◦ Is it the role of a specification to force encryption?

24. Bibliography • TLS & PFS materials ◦ http://vincent.bernat.im/en/blog ◦ https://www.imperialviolet.org

    ◦ Thomas Pornin’s answers on StackExchange • PFS in practice ◦ https://blog.twitter.com/2013/forward-secrecy-at-twitter ◦ https://github.com/blog/1734-improving-our-ssl-setup • And of course Wikipedia

25. Thank you