Slide 1
Slide 1 text
Hello, TLS 1.3
2018.09.12
Brice Bang
Buzzvil
Hello, TLS 1.3
2018.09.12
Brice Bang
Buzzvil
Slide 2
Slide 2 text
Disclaimer
• This presentation may have incorrect information
• Because
• I’m not a
• If you have any questions, they will help you
Hacker Expert
Slide 3
Slide 3 text
August 10, 2018
Slide 4
Slide 4 text
August 10, 2018
Slide 5
Slide 5 text
August 10, 2018
Have you ever waited for TLS 1.3 to be published here?
Slide 6
Slide 6 text
History of TLS
• Netscape developed the Secure Sockets Layer (SSL) Protocol
TLS v1.3
2014.04: first draft
2016.09: available by Cloudflare
2018.03: 28Th draft
2018.08: Finalized (RFC 8446)
Slide 7
Slide 7 text
TLS
Transport Layer Security
Slide 8
Slide 8 text
TLS
Transport Layer Security
Transport Layer Security
Slide 9
Slide 9 text
Transport Layer
Slide 10
Slide 10 text
The States of Digital Data
Slide 11
Slide 11 text
What Is The Transport Layer?
802.11
IP
TCP
HTTP
Slide 12
Slide 12 text
What Is The Transport Layer?
802.11
IP
TCP
HTTPS
Slide 13
Slide 13 text
Routing
Sender(Client)
Receiver(Server)
Slide 14
Slide 14 text
Routing
Sender(Client)
Receiver(Server)
Slide 15
Slide 15 text
Routing
Have you ever sent/passed/received a note during class?
in class
Slide 16
Slide 16 text
Pass Notes in Class
• Sender
• Prepare a paper
• Write your name
• Write a message
• Fold it
• Write the receiver’s name
• Pass it to a nearby one
• Deliverer
• See the name on the outside of the note
• Find where the receiver is
• Pass it to a shortest path or
to a closer one
• Receiver
• See the name on the outside of the note
• Open it
• Check the name of the sender
• Read the message
Slide 17
Slide 17 text
Pass Notes in Class
• Sender
• Prepare a paper
• Write your name
• Write a message
• Fold it
• Write the receiver’s name
• Pass it to a nearby one
• Deliverer
• See the name on the outside of the note
• Find where the receiver is
• Pass it to a shortest path or
to a closer one
• Receiver
• See the name on the outside of the note
• Open it
• Check the name of the sender
• Read the message
• Client
• Prepare a buffer
• Write your IP address
• Write a payload
• Create a packet from the buffer
• Write the receiver’s IP address
• Pass it to a nearby one
• Router
• See the receiver’s IP address of the packet
• Find where the receiver is (routing protocol)
• Pass it to a shortest path or
to a better one
• Receiver
• See the receiver’s IP address of the packet
• Parse it
• Check the IP address of the sender
• Read the payload
Pass Packets in the Internet
Slide 18
Slide 18 text
Pass Notes in Class
• Sender
• Prepare a paper
• Write your name
• Write a message
• Fold it
• Write the receiver’s name
• Pass it to a nearby one
• Deliverer
• See the name on the outside of the note
• Find where the receiver is
• Pass it to a shortest path or
to a closer one
• Receiver
• See the name on the outside of the note
• Open it
• Check the name of the sender
• Read the message
• Client
• Prepare a buffer
• Write your IP address
• Write a payload
• Create a packet from the buffer
• Write the receiver’s IP address
• Pass it to a nearby one
• Router
• See the receiver’s IP address of the packet
• Find where the receiver is (routing protocol)
• Pass it to a shortest path or
to a better one
• Receiver
• See the receiver’s IP address of the packet
• Parse it
• Check the IP address of the sender
• Read the payload
Pass Packets in the Internet
Is it secure protocol?
Slide 19
Slide 19 text
Security
Slide 20
Slide 20 text
The Protocols Are Not Secure
Sender(Client)
Receiver(Server)
Alice
Bob
Eve
Slide 21
Slide 21 text
The Protocols Are Not Secure
Sender(Client)
Receiver(Server)
Man-in-the-Middle Attack
- Can’t trust the middle
Alice
Bob
Eve
Slide 22
Slide 22 text
Security Threats and Goals
• Eve can communicate to Alice pretending to be Bob
• Authentication
• Your buddy is Bob, not Eve
• Eve can read the messages
• Confidentiality (Privacy)
• Only Alice and Bob can read, no one else (including Eve) can read it
• Eve can modify or forge the messages
• Integrity
• The messages written by Alice is not altered
Slide 23
Slide 23 text
• Security Goal
• Authentication
• Confidentiality (Privacy)
• Integrity
• Cipher Suite
• A set of algorithms that help secure a network connection
How Has TLS Achieved the Security Goals?
Slide 24
Slide 24 text
Cipher Suites of TLS 1.2
Slide 25
Slide 25 text
Cryptographic Primitives
• Low-level cryptographic algorithms that are used to build cryptographic
protocols
• Symmetric-Key Cryptography: Cipher
• Asymmetric-Key Cryptography: Key establishment, Authentication
• Diffie-Hellman Key Exchange: Key establishment
• Cryptographic Hash Function: Data Integrity
• Message Authentication Code (MAC): Data Integrity
Cipher Suite
Slide 26
Slide 26 text
Symmetric-Key Cryptography
• Uses a same keys (session key) on encryption and decryption
• Used for block/stream cipher because it is fast
• Types
• Block Ciphers: AES, SEED, ARIA
• Stream Ciphers: ChaCha20, RC4
• Confidentiality
• Authentication
• How to share the key?
Slide 27
Slide 27 text
Asymmetric-Key Cryptography
• Use the different keys on encryption and decryption
• Private key
• Public key
• Algorithms: RSA, DSA
• Authentication
• Key exchange
f
Slide 28
Slide 28 text
Digital Certificates
• A digital document certifies the ownership of a public key
• Algorithms
• RSA
• ECDSA
• ANON
• Authentication
28
f
Alice Bob
Slide 29
Slide 29 text
Key Exchange / Agreement / Establishment
• The methods to share same key on insecure channel
• Types
• RSA based
• Diffie-Hellman (DH) based: DH, DHE, ECDH, ECHDE
f
Slide 30
Slide 30 text
RSA Key Exchange
• Alice encrypts the session key with the Bob’s RSA pubic key and send
• Only Bob can decrypt it and get the session key
f
Slide 31
Slide 31 text
RSA Key Exchange
• Alice encrypts the session key with the Bob’s RSA pubic key and send
• Only Bob can decrypt it and get the session key
f
Is Bob’s private key always safe for its lifetime?
Slide 32
Slide 32 text
RSA Key Exchange
• Alice encrypts the session key with the Bob’s RSA pubic key and send
• Only Bob can decrypt it and get the session key
f
Is Bob’s private key always safe for its lifetime?
Slide 33
Slide 33 text
The Heartbleed Bug – CVE-2014-0160
• A buffer over-read vulnerability due to missing bounds check
in the implementation of the TLS heartbeat extension
in the OpenSSL library
• Long-lived private key can be compromised in the future
Slide 34
Slide 34 text
RSA Key Exchange
• Alice encrypts the session key with the Bob’s RSA pubic key and send
• Only Bob can decrypt it and get the session key
f
Is Bob’s private key always safe for its lifetime?
Slide 35
Slide 35 text
RSA Key Exchange
• Alice encrypts the session key with the Bob’s RSA pubic key and send
• Only Bob can decrypt it and get the session key
f
What If Eve keeps records all communications and
obtains the Bob’s private key later?
Is Bob’s private key always safe for its lifetime?
Slide 36
Slide 36 text
RSA Key Exchange
• Alice encrypts the session key with the Bob’s RSA pubic key and send
• Only Bob can decrypt it and get the session key
f
What If Eve keeps records all communications and
obtains the Bob’s private key later?
Is Bob’s private key always safe for its lifetime?
Slide 37
Slide 37 text
Perfect Forward Secrecy (PFS)
37
• The conversation are kept secure even if the long-term private key is
compromised in the future
To provide PFS
• Use temporary session key
• Do not save session key
in permanent storage
f
Slide 38
Slide 38 text
Diffie-Hellman(-Merkle) Key Exchange (DHM, DH)
• An method allows two parties can have a shared session key over an
insecure channel without prior knowledge
• Algorithm
• based on the discrete logarithm problem
• ! = #$
%& = ((%$)%& = ((%&)%$= #&
%$
• It’s hard to derive ! with just #& and #$
• Pros
• Share a session key through unsafe
channel
• Perfect forward secrecy
38
f
Public
Slide 39
Slide 39 text
Data Integrity
• Hash Function
• Keyed Hash Function
• Message Authentication Code (MAC)
• Pseudo-Random Functions (PRF)
39
f
Slide 40
Slide 40 text
Hash Function
• Any function that maps data of arbitrary size to data of a fixed size
• Cryptographic Hash Function
• It has cryptographic properties
• Pre-image resistance
• Second pre-image resistance
• Collision resistance
• MD5, SHA-N, BLAKE2
• Integrity
• Anyone can forge any messages
• ex) python2 -c "print(hash('1’))”
• Always same
40
f
Slide 41
Slide 41 text
Message Authentication Code (MAC)
• A secret keyed hash function used to protect both a data integrity and
its authenticity
• Resistant to forgery attack
• HMAC, CMAC, Poly1305, SipHash
• Integrity and Authentication
• ex) python3 -c "print(hash('1’))”
• Different per process
41
f
Slide 42
Slide 42 text
TLS 1.2 Handshake Overview
1. Check the certificate of the peer
2. Choose a cipher suite that both support
3. Setup and share the parameters and the key of the cipher suite
4. Encrypt / decrypt suing that cipher suite
Slide 43
Slide 43 text
TLS 1.2 Handshake - RSA
Slide 44
Slide 44 text
TLS 1.2 Handshake - DH
Slide 45
Slide 45 text
Transport Layer Security 1.3
Slide 46
Slide 46 text
What’s the better in TLS 1.3?
Security Speed
Slide 47
Slide 47 text
Major Difference from TLS 1.2
• 1-RTT handshake
• initial support for 0-RTT
• TLS 1.2 version negotiation mechanisms are deprecated
• Split a cipher suite into cipher, key exchange and signature algorithm
• All key exchange algorithms provide forward secrecy
• EdDSA is added into the signature algorithms
• Remove insecure ciphers (CBC-mode, RC4, SHA1, MD5, …)
• Only AEAD is allowed for symmetric cryptography
• The entire handshake is signed
• All handshake messages after ServerHello are encrypted
• Elliptic curve algorithms are in the base spec
Security
Speed
Slide 48
Slide 48 text
Handshakes Comparison
• TLS 1.3 reduces 1 RTT
TLS 1.2 Full Handshake TLS 1.3 Full Handshake
Slide 49
Slide 49 text
TLS Resumption
• Remember the last connection, and cut short the handshake
TLS 1.2 – 1-RTT TLS 1.3 – 0-RTT
Slide 50
Slide 50 text
Simplify Negotiation
• TLS 1.3 removes many legacy features, and split between three
orthogonal negotiations
Slide 51
Slide 51 text
Key Exchange Algorithms of TLS 1.3
TLS1.3: All algorithms provide forward secrecy
TLS 1.2
Slide 52
Slide 52 text
Signature Algorithms
TLS 1.2
• RSA
• DSA
• ECDSA
TLS 1.3
• RSA
• ECDSA
• EdDSA
Slide 53
Slide 53 text
Cipher Suites of TLS 1.2
Slide 54
Slide 54 text
Cipher Suites of TLS 1.2
Slide 55
Slide 55 text
Cipher Suites of TLS 1.2
Slide 56
Slide 56 text
Cipher Suites of TLS 1.3
TLS_AEAD_HASH
Slide 57
Slide 57 text
Authenticated Encryption with Associated Data (AEAD)
• A form of encryption which simultaneously provides confidentiality,
integrity, and authenticity on the data
• The Attempts using cryptography and MAC before AE
• Encrypt-and-MAC (E&M)
• Encrypt-then-MAC (EtM)
• MAC-then-Encrypt (MtE)
• à Error prone and difficult
• AD: The data that needs integrity, not confidentiality
• ex) header
Slide 58
Slide 58 text
ChaCha20-Poly1305
• AES
• AES-CBC
• Widely used
• Attack on CBC mode is emerged
• AES-GCM
• No known breaks
• Slow
• Small size nonce (8 bytes)
• ChaCha20-Poly1305
• Faster than AES
• No known breaks
• Chosen by
• Google
• Cloudflare
• TLS 1.3
Slide 59
Slide 59 text
• The server’s signature only covers part of the handshake
• A Symmetric MAC is used to ensure the integrity
• It makes vulnerabilities (FREAK, LogJam, etc.)
Signing the Entire Transcript
Slide 60
Slide 60 text
• The server’s signature only covers part of the handshake
• A Symmetric MAC is used to ensure the integrity
• It makes vulnerabilities (FREAK, LogJam, etc.)
Signing the Entire Transcript
Slide 61
Slide 61 text
• The server’s signature only covers part of the handshake
• A Symmetric MAC is used to ensure the integrity
• It makes vulnerabilities (FREAK, LogJam, etc.)
Signing the Entire Transcript
Slide 62
Slide 62 text
• The server’s signature only covers part of the handshake
• A Symmetric MAC is used to ensure the integrity
• It makes vulnerabilities (FREAK, LogJam, etc.)
Signing the Entire Transcript
Slide 63
Slide 63 text
Encryption after ServerHello
• TLS 1.3 reduces 1 RTT
TLS 1.2 Full Handshake TLS 1.3 Full Handshake
Slide 64
Slide 64 text
Elliptic Curve Cryptography
• Using special computations on elliptic curve (!" = $% + '$ + ()
What is the pros?
• Short encryption key
• 256 bits are enough to offer 128-bits of
security (compare to RSA-3072)
• Faster
• With 256-bit key is over 20 times faster
than RSA-2048
RSA key size (bits) ECC key size (bits)
1024 160
2048 224
3072 256
7680 384
15360 521
Slide 65
Slide 65 text
Famous Elliptic Curves
• NIST-p256
• NIST-p384
• NIST-p521
• Curve25519
• OpenSSL default
• …
Slide 66
Slide 66 text
Elliptic Curve Groups of TLS 1.2 and TLS 1.3
Slide 67
Slide 67 text
Elliptic-Curve Diffie-Hellman Key Exchange (ECDH)
• An method allows two parties can have a shared secret key over an
insecure channel without prior knowledge
• Traditional DIffie-Hellman (DH)
• ! = #$
%& = ((%$)%& = ((%&)%$= #&
%$
• Elliptic-Curve Diffie-Hellman (ECDH)
• ! = %&
#$
= %&
(%$
*) = %$
(%&
*) = %$
#&
• Pros
• Share a session key through unsafe
channel
• Perfect forward secrecy
Slide 68
Slide 68 text
Why did the TLS finalization take a long time?
Slide 69
Slide 69 text
Why did the TLS finalization take a long time?
Because of the backward compatibility
Slide 70
Slide 70 text
The Version Negotiation of older TLS
• Backward Compatibility of TLS 1.0
• SSLv3 = 3.0 = 0x0300
• TLS 1.0 = 3.1 = 0x0301
• TLS 1.1 = 3.2 = 0x0302
• TLS 1.2 = 3.3 = 0x0303
• TLS 1.3 = 3.4 = 0x0304
Client (TLS 1.3)
0x0304
Server (TLS 1.2)
0x0303
0x0303
Slide 71
Slide 71 text
The Version Negotiation of older TLS
• Backward Compatibility of TLS 1.0
• SSLv3 = 3.0 = 0x0300
• TLS 1.0 = 3.1 = 0x0301
• TLS 1.1 = 3.2 = 0x0302
• TLS 1.2 = 3.3 = 0x0303
• TLS 1.3 = 3.4 = 0x0304
Client (TLS 1.3)
0x0304
Server (TLS 1.2)
0x0303
0x0303
Disconnect
Slide 72
Slide 72 text
Middleboxes
Slide 73
Slide 73 text
Middleboxes
Slide 74
Slide 74 text
Middleboxes
Slide 75
Slide 75 text
Solutions
• Make the ClientHello packet of v1.3 look like that of v1.2
• Share the supported version list in extension
ClientHello
legacy_version = 0x0303; /* TLS 1.2 */
SupportedVersions
List versions
= { 0x0304, 0x0303, 0x0302 };
/* TLS 1.3, 1,2, 1.1, prefer order */
…
ClientHello
client_version = 0x0303; /* TLS 1.2 */
…
TLS 1.2 TLS 1.3
Extensions
Slide 76
Slide 76 text
TLS 1.3 Deployment
Slide 77
Slide 77 text
TLS 1.3 Deployment
Slide 78
Slide 78 text
Test TLS 1.3
Slide 79
Slide 79 text
Test TLS 1.3
Slide 80
Slide 80 text
Test TLS 1.3
Slide 81
Slide 81 text
DJB
• Danial J. Bernstein
• Bernstein v. United States
• Sued for the restriction on the export of cryptography from the United States
• SipHash
• Curve25519
• ed25519
• ChaCha20
• Poly1305
The reason that the Korean Internet became a ActiveX hell
Slide 82
Slide 82 text
References
• https://en.m.wikipedia.org/wiki/Cryptography
• https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/
• https://wiki.openssl.org/index.php/TLS1.3
• https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/
• https://tools.ietf.org/html/rfc8446
Slide 83
Slide 83 text
Candidate for Presentation Items (My interests)
• CPU Optimization, Meltdown and Spectre
• WiFi Network is Insecure, Waiting for WPA3
• VPN
• Elliptic Curve Cryptography
• ….
Slide 84
Slide 84 text
Thank you
Slide 85
Slide 85 text
Backup Slides
Slide 86
Slide 86 text
Discrete Logarithm Problem
• !" = $ %&' (
• A, B, x are integers, p is a public prime
• A is a public information, B is a public key
• It is easy to calculate B from x
• It is hard to calculate x from B
Slide 87
Slide 87 text
Pseudo-Random Function (PRF)
• A keyed hash function whose output looks like random values
• MAC + The output should look like random: Stronger than MAC
• HMAC, CMAC, Poly1305, SipHash
• Integrity, Authentication
• != Pseudo-Random Generator (PRG)
• PRG: only if the input was chosen at random
• PRF: regardless of how the inputs were chosen
87
f
Slide 88
Slide 88 text
The Version Negotiation of older TLS
• Backward Compatibility of TLS 1.0
• SSLv3 = 3.0 = (3, 0)
• TLS 1.0 = 3.1 = (3, 1)
• TLS 1.1 = 3.2 = (3, 2)
• TLS 1.2 = 3.3 = (3, 3)
• Browser’s options
• Enable 1.2 àMany sites will stop
• Delay the deployment of 1.2
until these servers are fixed
• Retry with an older version of TLS
if connection fails
Client (TLS 1.2)
(3, 3)
Server (TLS 1.0)
(3, 1)
(3, 1)
Disconnect
Slide 89
Slide 89 text
Padding Oracle On Downgraded Legacy Encryption (POODLE)
Fixes
• Disable SSLv3 on both side
• Enable a new TLS feature SCSV
• Client mark its supported
versions when downgraded
• Server can detect the attack
Slide 90
Slide 90 text
Discrete Logarithm on Elliptic Curve
• ! = #$ %&' (
• P, G is a point with integer coordinate,
n is an integer, p is a public prime
• G is a public information, P is a public key
• It is easy to calculate P from n
• It is hard to calculate n from P
• Provides same security level
with smaller keys
Slide 91
Slide 91 text
Discrete Logarithm on Elliptic Curve
• ! = #$ %&' (
• P, G is a point with integer coordinate,
n is an integer, p is a public prime
• G is a public information, P is a public key
• It is easy to calculate P from n
• It is hard to calculate n from P
• Provides same security level
with smaller keys
Slide 92
Slide 92 text
Discrete Logarithm on Elliptic Curve
• ! = #$ %&' (
• P, G is a point with integer coordinate,
n is an integer, p is a public prime
• G is a public information, P is a public key
• It is easy to calculate P from n
• It is hard to calculate n from P
• Provides same security level
with smaller keys
Slide 93
Slide 93 text
Security Level (Bits of security)
• n-bit security: 2" operations are needed to break it
• Sufficient Length
• 128 bits of security is sufficient until next revolutionary breakthrough in
either mathematics or technology
• 112 bits of security is sufficient until 2030
• Symmetric cryptography
• Normally equal to the key size
• AES-128 (key size 128 bits) offers a 128-bit security level
• Asymmetric cryptography
• The entropy is decrease because it have to provide asymmetric function
• RSA-3072 offers a 128-bit security level
Slide 94
Slide 94 text
TLS Resumption
• Remember the last connection, and cut short the handshake
Slide 95
Slide 95 text
TLS Resumption
• Remember the last connection, and cut short the handshake
Browser can send only GET requests in 0-RTT