Getting TLS Right - Speaker Deck

Slide 1

Slide 1 text

Getting TLS Right Zack Tollman @tollmanz

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

“Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.” — IETF https://tools.ietf.org/html/rfc7258

Slide 4

Slide 4 text

“Today we are announcing our intent to phase out non-secure HTTP” — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

Slide 5

Slide 5 text

HTTP/2 is TLS only in Chrome and Firefox https://wiki.mozilla.org/Networking/http2

Slide 6

Slide 6 text

Now Later Less TLS More TLS

Slide 7

Slide 7 text

TLS knowledge is now essential

Slide 8

Slide 8 text

We are bad at TLS

Slide 9

Slide 9 text

78% of sites are not secure https://www.trustworthyinternet.org/ssl-pulse/

Slide 10

Slide 10 text

432 heartbleed vulnerabilities (0.3%) https://www.trustworthyinternet.org/ssl-pulse/

Slide 11

Slide 11 text

97% do not support HSTS https://www.trustworthyinternet.org/ssl-pulse/

Slide 12

Slide 12 text

37% do not support Perfect Forward Secrecy https://www.trustworthyinternet.org/ssl-pulse/

Slide 13

Slide 13 text

“misconfiguration errors are undermining the potential security” — Kranch & Bonneau (2015) http://www.internetsociety.org/sites/default/ﬁles/01_4_0.pdf

Slide 14

Slide 14 text

“industry-wide configuration problem with the deployment of DHE key exchange” — Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf

Slide 15

Slide 15 text

We don’t seem to understand TLS

Slide 16

Slide 16 text

Let’s fix that

Slide 17

Slide 17 text

Quick Note on TLS and SSL

Slide 18

Slide 18 text

function capital_TLS_dangit( $content ) { return str_replace( array( 'SSL', 'Secure Sockets Layer' ), array( 'TLS', 'Transport Layer Security' ), $content ) }

Slide 19

Slide 19 text

SSL v2 SSL v3 TLS v1 TLS v1.1 TLS v1.2 1995 1996 1999 2006 2008

Slide 20

Slide 20 text

Encryption Integrity Authentication Key Exchange

Slide 21

Slide 21 text

Authentication

Slide 22

Slide 22 text

Is the server the intended server?

Slide 23

Slide 23 text

Chain of trust

Slide 24

Slide 24 text

End Certificate *.wordpress.com Signing algorithm Signature Public Key Public Exponent

Slide 25

Slide 25 text

End Intermediate Certificate CA certificate Signature

Slide 26

Slide 26 text

End Root Certificate In browser Signature Intermediate

Slide 27

Slide 27 text

End Intermediate Root Trusts Trusts

Slide 28

Slide 28 text

Integrity

Slide 29

Slide 29 text

Is the message received the message sent?

Slide 30

Slide 30 text

Data Data

Slide 31

Slide 31 text

Data Data Hash Encrypt

Slide 32

Slide 32 text

Data Data Hash Encrypt Encrypt

Slide 33

Slide 33 text

Data Data Hash Encrypt Encrypt Receiver

Slide 34

Slide 34 text

Receiver has encrypted hash and encrypted data

Slide 35

Slide 35 text

E-Hash E-Data

Slide 36

Slide 36 text

E-Hash E-Data P-Hash P-Data

Slide 37

Slide 37 text

E-Hash E-Data P-Hash P-Data Hash

Slide 38

Slide 38 text

Hash Hash =

Slide 39

Slide 39 text

Encryption

Slide 40

Slide 40 text

Converts plaintext to ciphertext

Slide 41

Slide 41 text

Y B B C P B A S

Slide 42

Slide 42 text

Y B B C P B A S L O O P C O N F

Slide 43

Slide 43 text

A B C D E F N O P Q R S +13

Slide 44

Slide 44 text

Algorithm: Letter + 13 = Cipher Letter

Slide 45

Slide 45 text

Substitution Cipher Caesar Cipher

Slide 46

Slide 46 text

Key

Slide 47

Slide 47 text

Key 13

Slide 48

Slide 48 text

Weak cipher

Slide 49

Slide 49 text

Secrecy in algorithm is a problem

Slide 50

Slide 50 text

Secrecy in key is better

Slide 51

Slide 51 text

Advanced Encryption Standard - Rijndael http://www.moserware.com/2009/09/stick-ﬁgure-guide-to-advanced.html

Slide 52

Slide 52 text

Many rounds of substitution and permutations

Slide 53

Slide 53 text

Key Exchange

Slide 54

Slide 54 text

How do we establish an encryption key for 2 unknown parties over an insecure connection?

Slide 55

Slide 55 text

http://en.wikipedia.org/wiki/Enigma_machine#/media/File:Kenngruppenheft.jpg Ben Slivka

Slide 56

Slide 56 text

Couriers delivered the daily keys

Slide 57

Slide 57 text

http://en.wikipedia.org/wiki/Jeff_Bezos#/media/File:Jeff_Bezos%27_iconic_laugh.jpg

Slide 58

Slide 58 text

Doesn’t work for the modern web

Slide 59

Slide 59 text

Diffie-Hellman-Merkle key exchange

Slide 60

Slide 60 text

Each individual has a key by the time the process is complete

Slide 61

Slide 61 text

Demo

Slide 62

Slide 62 text

s is a premaster secret from which the master secret is derived

Slide 63

Slide 63 text

Master secret is the key used for encryption

Slide 64

Slide 64 text

Trapdoor functions

Slide 65

Slide 65 text

Easy one way

Slide 66

Slide 66 text

Impossibly difficult the other way

Slide 67

Slide 67 text

If a, b, g, or p are different, s is different

Slide 68

Slide 68 text

Perfect forward secrecy

Slide 69

Slide 69 text

Lavabit

Slide 70

Slide 70 text

I failed to update the Lavabit SSL configuration to prefer ciphers that provided perfect forward secrecy. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

Slide 71

Slide 71 text

Cipher Suites

Slide 72

Slide 72 text

Combination of algorithms for authentication, integrity, encryption, and key exchange

Slide 73

Slide 73 text

ECDHE-RSA-AES128-GCM-SHA256

Slide 74

Slide 74 text

ECDHE-RSA-AES128-GCM-SHA256 Key Exchange

Slide 75

Slide 75 text

ECDHE-RSA-AES128-GCM-SHA256 Certificate signing algorithm (Authentication)

Slide 76

Slide 76 text

ECDHE-RSA-AES128-GCM-SHA256 Cipher (Encryption)

Slide 77

Slide 77 text

ECDHE-RSA-AES128-GCM-SHA256 Message authentication code (Integrity)

Slide 78

Slide 78 text

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256- SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA

Slide 79

Slide 79 text

Slide 80

Slide 80 text

Slide 81

Slide 81 text

No content

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

TLS Handshake

Slide 84

Slide 84 text

Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished Application Data

Slide 85

Slide 85 text

1. Client hello Cipher suites TLS version Random bytes Client -> Server

Slide 86

Slide 86 text

2. Server hello Cipher suite choice TLS version choice Server -> Client

Slide 87

Slide 87 text

3. Certificate Certificate chain sent Cert signature matches auth algorithm Server -> Client

Slide 88

Slide 88 text

4. Server Key Exchange Info for key exchange Server -> Client

Slide 89

Slide 89 text

5. Server Hello Done Server has sent all info Server -> Client

Slide 90

Slide 90 text

6. Client Key Exchange Info for key exchange Client -> Server

Slide 91

Slide 91 text

7. Change Cipher Spec Enough info for encryption Switch to encryption Client -> Server

Slide 92

Slide 92 text

8. Finished Signals that handshake is done Client -> Server

Slide 93

Slide 93 text

9. Change Cipher Spec Server -> Client

Slide 94

Slide 94 text

10. Finished Server -> Client

Slide 95

Slide 95 text

TLS Handshake demo with Wireshark

Slide 96

Slide 96 text

Configure TLS with Nginx

Slide 97

Slide 97 text

All configuration in server block

Slide 98

Slide 98 text

ssl on;

Slide 99

Slide 99 text

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Slide 100

Slide 100 text

ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM- SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128- GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA- AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE- RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA- AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128- SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256- SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256- GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:! aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:! aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3- SHA:!KRB5-DES-CBC3-SHA

Slide 101

Slide 101 text

ssl_prefer_server_ciphers on;

Slide 102

Slide 102 text

ssl_certificate /path/to/ certificate.crt; ssl_certificate_key /path/to/ private-key.key;

Slide 103

Slide 103 text

istlsfastyet.com https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Slide 104

Slide 104 text

HTTP Strict Transport Security

Slide 105

Slide 105 text

SSL Stripping http://www.thoughtcrime.org/software/sslstrip/

Slide 106

Slide 106 text

What if HTTP variant was never accessed?

Slide 107

Slide 107 text

HSTS blocks browser from HTTP version of site

Slide 108

Slide 108 text

Set HSTS only after mixed content issues are resolved

Slide 109

Slide 109 text

add_header Strict-Transport- Security 'max-age=31536000; includeSubDomains';

Slide 110

Slide 110 text

Mixed Content

Slide 111

Slide 111 text

HTTP assets in HTTPS page is an attack vector

Slide 112

Slide 112 text

Content Security Policy

Slide 113

Slide 113 text

Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

Slide 114

Slide 114 text

Slide 115

Slide 115 text

Slide 116

Slide 116 text

Slide 117

Slide 117 text

Slide 118

Slide 118 text

Slide 119

Slide 119 text

Content-Security-Policy-Report- Only: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com; report-uri /beacon.php

Slide 120

Slide 120 text

upgrade-insecure-requests coming soon http://www.w3.org/TR/upgrade-insecure-requests/

Slide 121

Slide 121 text

TLS Configuration Needs Maintenance

Slide 122

Slide 122 text

A theoretical weakness became practical. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

Slide 123

Slide 123 text

I missed that development. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

Slide 124

Slide 124 text

tollmanz.com/loopconf-2015 @tollmanz