Tweet
Tweet

Slide 1

Slide 1 text

TLS 1.3 Nick Sullivan Filippo Valsorda @grittygrease @FiloSottile

Slide 2

Slide 2 text

2

Slide 3

Slide 3 text

1994 — SSLv2 1995 — SSLv3 1999 — TLS 1.0 2006 — TLS 1.1 2008 — TLS 1.2 … 3

Slide 4

Slide 4 text

4

Slide 5

Slide 5 text

5

Slide 6

Slide 6 text

6

Slide 7

Slide 7 text

7 Client Hello Supported cipher suites Client Server Server Hello Chosen cipher suite Key share Certificate & signature Key share Finished Finished HTTP GET HTTP Answer TLS 1.2 ECDHE

Slide 8

Slide 8 text

TLS 1.2 ECDHE 8

Slide 9

Slide 9 text

TLS 1.0, 1.1 and 1.2 are not that different TLS 1.3 is a BIG jump 9

Slide 10

Slide 10 text

RTT--; 10

Slide 11

Slide 11 text

11 Client Hello Supported AEAD / groups / signatures Key share Server Hello Chosen AEAD Key share Finished Certificate & signature Finished HTTP GET HTTP Answer TLS 1.3 Client Server

Slide 12

Slide 12 text

TLS 1.3 12

Slide 13

Slide 13 text

13 Client Hello Supported AEAD / groups / signatures Key share Hello Retry Request Chosen group Cookie Hello Retry Request Client Server Client Hello Cookie Other key share Server Hello Chosen AEAD Key share Certificate & signature Finished …

Slide 14

Slide 14 text

Resumption “Hey, I know you!” 14

Slide 15

Slide 15 text

15 Client Hello Supported cipher suites Client Server Server Hello Session ID Key share Finished Finished HTTP GET HTTP Answer TLS 1.2 ECDHE New Session Ticket

Slide 16

Slide 16 text

16 Client Hello Session ID / Ticket Server Hello Finished Finished HTTP GET HTTP Answer TLS 1.2 Resumption Client Server

Slide 17

Slide 17 text

17 Client Hello Session Ticket (PSK) Server Hello Finished TLS 1.3 Resumption Client Server Finished HTTP GET HTTP Answer

Slide 18

Slide 18 text

18 Client Hello Session Ticket (PSK) Forward Secrecy Client Server Decrypt this with the session ticket key Server Hello Finished Finished HTTP GET HTTP Answer

Slide 19

Slide 19 text

19 Client Hello Session Ticket (PSK) Key share PSK-ECDHE Client Server Finished HTTP GET HTTP Answer Server Hello Key share Finished

Slide 20

Slide 20 text

0-RTT! 20

Slide 21

Slide 21 text

21 Client Hello Session Ticket (PSK) Key share Server Hello Key share Finished HTTP GET HTTP Answer 0-RTT Client Server Finished

Slide 22

Slide 22 text

0-RTT! But… 22

Slide 23

Slide 23 text

0-RTT 23 No PSK-ECDHE

Slide 24

Slide 24 text

24 Client Hello Session Ticket (PSK) Key share Server Hello Key share Finished HTTP GET HTTP Answer Client Server Finished Forward secret from here 0-RTT w/ ECDHE

Slide 25

Slide 25 text

TLS 1.2 is forward secret: • Relatively to the certificate: always (using ECDHE) • Relatively to the ticket key: never 25 TLS 1.3 is forward secret: • Relatively to the certificate: always • Relatively to the ticket key: except 0-RTT early data (w/ PSK-ECDHE)

Slide 26

Slide 26 text

0-RTT 26 Replays

Slide 27

Slide 27 text

27 Client Hello Session Ticket (PSK) Key share HTTP GET 0-RTT replay Client Hello Session Ticket (PSK) Key share HTTP GET

Slide 28

Slide 28 text

obfuscated_ticket_age • The client sends the age in milliseconds of the ticket • The server checks it matches its view, with some leeway • Obfuscated with a ticket_age_add value sent as part of the New Session Ticket message struct { opaque identity<1..2^16-1>; uint32 obfuscated_ticket_age; } PskIdentity; 28

Slide 29

Slide 29 text

29 0-RTT confirmation Client Hello Session Ticket (PSK) Key share Server Hello Key share Finished HTTP POST Finished HTTP POST HTTP Answer

Slide 30

Slide 30 text

max_early_data_size • The server must either accept or reject the early data, entirely, without knowing how much there will be • If it accepts it and can’t process it, it must buffer it • Once the Finished comes, all early data is confirmed • max_early_data_size limits the buffer size • Devised with Drew Springall 30

Slide 31

Slide 31 text

It’s the application’s responsibility 31 Protocols MUST NOT use 0-RTT data without a profile that defines its use.

Slide 32

Slide 32 text

It’s the API’s responsibility 32 • Default to 1-RTT • Allow the server to reject / wait for the Finished • Let the client to decide what to send in the early data

Slide 33

Slide 33 text

HTTP and 0-RTT 33 • Utopia: GET is idempotent! • Reality: nope. GET /send_money.php?to=filippo&amount=1000

Slide 34

Slide 34 text

HTTP and 0-RTT 34 • Utopia: GET is idempotent! • Reality: nope.

Slide 35

Slide 35 text

HTTP and 0-RTT 35

Slide 36

Slide 36 text

36 Complexity Benefit

Slide 37

Slide 37 text

No Forward Secrecy 37 Client Hello Supported cipher suites Server Hello Chosen cipher suite Certificate encrypted with Certificate Public Key Finished Finished TLS 1.2 Static RSA mode

Slide 38

Slide 38 text

To: IETF TLS 1.3 Working Group Members My name is Andrew Kennedy and I work at BITS, the technology policy division of the Financial Services Roundtable (http://www.fsroundtable.org/bits). My organization represents approximately 100 of the top 150 US-based financial services companies including banks, insurance, consumer finance, and asset management firms. [...] Deprecation of the RSA key exchange in TLS 1.3 will cause significant problems for financial institutions, almost all of whom are running TLS internally and have significant, security-critical investments in out-of-band TLS decryption. [...] 38

Slide 39

Slide 39 text

39 Out-of-band TLS decryption? Yes, please!

Slide 40

Slide 40 text

Hi Andrew, My view concerning your request: no. Rationale: We're trying to build a more secure internet. Meta-level comment: You're a bit late to the party. We're metaphorically speaking at the stage of emptying the ash trays and hunting for the not quite empty beer cans. More exactly, we are at draft 15 and RSA key transport disappeared from the spec about a dozen drafts ago. I know the banking industry is usually a bit slow off the mark, but this takes the biscuit. Cheers, Kenny 40

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

RC4

Slide 44

Slide 44 text

3DES

Slide 45

Slide 45 text

MD5 & SHA1 SLOTH 2016

Slide 46

Slide 46 text

AES-CBC Vaudenay 2002 Boneh/Brumley 2003 BEAST 2011 Lucky13 2013 POODLE 2014 Lucky Microseconds 2015

Slide 47

Slide 47 text

RSA-PKCS1-1.5 Bleichenbacher 1998(!!) Jager 2015 DROWN 2016

Slide 48

Slide 48 text

Compression CRIME 2012

Slide 49

Slide 49 text

Renegotiation Marsh Ray Attack 2009 Renegotiation DoS 2011 Triple Handshake 2014 Replaced with lightweight key update

Slide 50

Slide 50 text

Lucky 13 RC4 Weakness POODLE Vaudenay Padding Oracle BEAST CRIME BREACH WeakDH FREAK SLOTH Lucky Microseconds DROWN LogJam

Slide 51

Slide 51 text

51 & Fortify

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

TLS 1.2 Certificate Authentication • Cipher negotiation protected by Finished Message (MAC) • MAC algorithm determined by cipher negotiation • FREAK, LogJam, CurveSwap: choose weak parameters 53

Slide 54

Slide 54 text

54 Client Hello Supported cipher suites Client Server Server Hello Chosen cipher suite Key share Certificate & signature Key share Finished Finished HTTP GET HTTP Answer TLS 1.2 ECDHE NOT SIGNED

Slide 55

Slide 55 text

55 Client Hello Supported AEAD / groups / signatures Key share Server Hello Chosen AEAD Key share Finished Certificate Signature Finished HTTP GET HTTP Answer TLS 1.3 Client Server }

Slide 56

Slide 56 text

Fewer, better choices • Key Exchange, Cipher, Authentication negotiated separately • No arbitrary DH groups • No arbitrary curves 56

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

Safer Resumption TLS 1.2 tickets • Current session keys encrypted with session ticket key • Session ticket key compromise a risk for all connections TLS 1.3 tickets • Next session keys encrypted with session ticket key • Session ticket key compromise only risk for resumed connections 60

Slide 61

Slide 61 text

61 Client Hello Supported cipher suites Client Server Server Hello Session ID Key share Finished Finished HTTP GET HTTP Answer TLS 1.2 ECDHE New Session Ticket Unencrypted

Slide 62

Slide 62 text

Formal Verification • Tamarin (Oxford, Royal Holloway) • ProScript-TLS, miTLS (INRIA) • nqsb-TLS (Cambridge) 62

Slide 63

Slide 63 text

Standards The IETF way 63

Slide 64

Slide 64 text

64

Slide 65

Slide 65 text

Timeline • First Draft: April 17, 2014 • 3Shake, POODLE, FREAK, LogJam, DROWN, Lucky Microseconds, SLOTH, more… • Draft 18: October 26, 2016 • Final draft: February, 2017 (we hope) • TLS 1.2: 79 pages • TLS 1.3: 81 pages (minus references and appendices) 65

Slide 66

Slide 66 text

66 Github + Mailing List

Slide 67

Slide 67 text

Key Schedule • Inspired by QUIC crypto • Semi-static DH key shared out of band • Tree-based key schedule 67

Slide 68

Slide 68 text

0 | v PSK -> HKDF-Extract | +-----> Derive-Secret() = early_traffic_secret | v (EC)DHE -> HKDF-Extract | +-----> Derive-Secret() = handshake_traffic_secret | v 0 -> HKDF-Extract | +-----> Derive-Secret() = traffic_secret_0 | +-----> Derive-Secret() = resumption_master_secret

Slide 69

Slide 69 text

What's in a name? Is it TLS 1.3, TLS 2, TLS 2.0, TLS 4, TLS 7, TLS 2017? 69

Slide 70

Slide 70 text

70

Slide 71

Slide 71 text

Version Intolerance • Wire versions • SSL 3.0: 3.0 • TLS 1.0: 3.1 • TLS 1.1: 3.2 • TLS 1.2: 3.3 • TLS 1.3: 3.4 ??? • Servers are intolerant of 3.4 • >2% of servers fail connection • Solution: “3.3” in ClientHello,
 real versions in extension • GREASE by David Benjamin 71

Slide 72

Slide 72 text

Version Intolerance 72

Slide 73

Slide 73 text

Implementation Getting our hands dirty 73

Slide 74

Slide 74 text

IETF 95 Hackathon - April 2016 • NSS (C): Martin Thomson and Eric Rescorla • Mint (Go): Richard Barnes and Nick Sullivan Result: Firefox was able to load https://tls13.cloudflare.com! 74

Slide 75

Slide 75 text

75 • Based on Go crypto/tls • Server only • Audited

Slide 76

Slide 76 text

https://go-review.googlesource.com/q/branch:+dev.tls 76

Slide 77

Slide 77 text

Deploying is hard 77 • First deployed Tris: draft 13 • Supported multiple drafts at a time (“hybrids”) • Browsers sometimes… diverged

Slide 78

Slide 78 text

78

Slide 79

Slide 79 text

You may already be using it • Firefox Nightly • Chrome Beta (50%) / Canary 79

Slide 80

Slide 80 text

80 Chrome Field Test Firefox Nightly Cloudflare Launch

Slide 81

Slide 81 text

Nick Sullivan Filippo Valsorda @grittygrease @FiloSottile https://tlswg.github.io/tls13-spec/ https://github.com/cloudflare/tls-tris https://blog.cloudflare.com/tag/tls-1-3/

Slide 82

Slide 82 text

Y U NO ENCRYPT SNI!? 82

Slide 83

Slide 83 text

83 Client Hello SNI Key share Server Hello Key share Certificate & signature Finished TLS 1.3 can’t encrypt SNI No key negotiated yet Already has to pick certificate