History Crypto Primitives TLS < 1.3 Hands on Bibliography Was ist neu bei TLS 1.3? TSLv1.3 – 21nd Century Internet Transmission Security Dr. Erwin Hoffmann November, 20th, 2018 1 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography Todays Agenda • History of TLS and it’s cryptographic concepts • Working model of former TLS implementations • Changes done for TLS 1.3 • OpenSSL 1.1.1 under OmniOSce • Installation of fehQlibs + ucspi-ssl • Protocol analysis using WireShark and ’testssl’ TLS 1.3. has been published in RFC 8446 after years of discussion in the IETF in August 2018. Since September 2018 OpenSSL 1.1.1 is available supporting TLSv1.3. My software ucspi-ssl-0.10 is OpenSSL 1.1.1 enabled and used here together with OmniOS (r15028). 2 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography Internet security protocols Transport Layer Security (TLS) – aka Secure Socket Layer (SSL) – is a fundamental IT security concept and in particular used for Web encryption (HTTPS) and encrypted email transmission (ESMTPS/ESMTP+StartTLS). Dark Fiber Bit transmission PHY PHY MAC MAC IP IP TCP/UDP TCP/UDP TLS TLS TLS Tunnel Router function HTTPS HTTPS SSH SSH protected TLS end-to-end transmission protected messages IPsec packets TLS- Records Message User (authenticated) Application Instance (stateful) Instance (stateless, stateful) Instance (authenticated) Security Association via IPsec MAC frames MACsec WPA(2) Wireless Figure: IT security protocols in a layered view → The cryptographic framework and routines are also used for SSH, PGP, IPSec and WiFi (WPA2), though in a different context. 3 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography Development of cryptographic standards and protocols Dark Fiber Bit transmission PHY PHY MAC MAC IP IP TCP/UDP TCP/UDP TLS TLS TLS Tunnel Router function HTTPS HTTPS SSH SSH protected TLS end-to-end transmission protected messages IPsec packets TLS- Records Message User (authenticated) Application Instance (stateful) Instance (stateless, stateful) Instance (authenticated) Security Association via IPsec MAC frames MACsec WPA(2) Wireless Figure: Cryptographic standards since the Unix epoch 4 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography The #4 Crypto Primitives Internet CA’s private key σ: Signature Primitive DSA, DSS !: Key Exchange Primitive RSA, Diffie-Hellman : En/Decryption Primitive C Block + Stream ciphers (AES, ChaCha) MD5, SHA, Poly1305 h: Hash Primitive Bob’s private key public key Bob’s public key CA’s Certificate Authority (CA) Asymmetrical crypto Symmetrical crypto Bob Alice Figure: The #4 crypto primitives 5 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS Use Cases EHLO client 220 hostname EMSTP 250-hostname 250-PIPELINING 250-8BITMIME 250-SIZE 0 250-AUTH LOGIN 250 STARTTLS TCP SYN STARTTLS 220 Ready to start TLS SMTP- Server TCPListen Port 25 Internet EHLO client 220 hostname EMSTP 250-hostname 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN TCP SYN SMTP- Client (MUA) SMTPS- Server TCPListen Port 465 TLS Tunnel Internet a) b) TLS Handshake TLS Tunnel TLS Handshake SMTP- Client (MUA) Figure: Immediate TLS and delayed TLS encryption; aka STARTTLS / STLS • Immediate/mandatory TLS encryption: HTTPS, SMTPS, LDAPS, IMAPS, POP3S, QMTPS • Delayed/optional TLS encryption: ESMTP + StartTLS, POP3 + STLS 6 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS Networking Layering Internet Protocol (IP) Transmission Control Protocol (TCP) HTTP, SMTP, LDAP, ... Application protocol T L S Record Layer Protocol Alert Change CipherSpec Hand- shake Heart- beat (Type 24) (Type 22) (Type 20) (Type 21) (Type 23) User Datagram Protocol (UDP) Figure: TLS protocol layering • TLS is located on top of TCP/UDP (layer 4+5) and below the application layer (7). • It provides a ’mini’ layering. • The Record layer can be considered as transmission layer: The workhorse. • Handshake, Change Cipher and Alert messages are mostly un-encrypted (using a NULL-encryption). • The Application messages are encrypted and protected. • The Heartbeat Protocol was added in 2011 with only rough evaluation (and fatal consequences). 7 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography The #4 Crypto Primitives within TLS < 1.3: The Handshake TLS < 1.3 provides three different ways of handshakes: • RSA handshake using static RSA public and private keys (the RSA public key is part of the X.509 certificate). • Diffie-Hellman using the Discrete Logarithm algorithm (DHE) while providing ephemeral keys. The DH parameters can be configured and changed frequently. • Diffie-Hellman with Elliptic Curve Cryptography (ECDHE). Curves and the DH params (as starting point for the calculation are typically fixed by the implementation. Internet (TLS-)Server (TLS-)Client 1 2 3 5 6 7 8 9 10 ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished TCP segment TCP segment = IP packet secured TLS connection 4 ServerKeyExchange TCP Three Way Handshake TCP segment TCP segment Figure: TLS handshake message exchange 8 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography The #4 Crypto Primitives within TLS < 1.3: Encryption TLS as the successor of SSL supports different sets of symmetrical de/encryption: Block ciphers: • 64 bit key-length   DES • 128 bit key-length   3DES • 128, 256, 384, 512 bit key-length AES → The Block Ciphers are often used in ’stream- ing mode’: CBC, OFB, GCM. Stream ciphers: • 40 + 128 bit key-length   RC4 • ChaCha20 (with TLS 1.2) Symmetrical En-/De-cryption Block Cipher Stream Cipher Feistel Chiffres (DES, 3DES, Lucifer, TEA) Rijndael Chiffres (AES, Blowfish, Serpant, Idea) Cipher stream (RC4, A5/1+A5/2) One Time Pad ECB CBC CFB S-Box LFSR NFSR IV + common secret key Input data Encryption- algorithm/ implementation Operations mode GCM Cipher stream generation fixed key pseudo-random key Steps: Figure: TLS symmetric encryption 9 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography The #4 Crypto Primitives within TLS < 1.3: Integrity Check • TLS (1.2) uses a keyword authenticated hash to provide authenticity and integrity for the data: Message Authentication Code (keyed MAC). • Since TLS employs both stream and block encryption, hashing is done per TLS record prior of encryption: MAC-then-encrypt (MtE). MAC Message(s) RL Header Length (2 Byte) Version (2 Byte) Protocol (1 Byte) encrypted (optional) Hashvalue MP Padding (optional) Protocol = MAC Data of the application protocol Compression Segment MAC calculation Encryption Record Layer Frame Record Layer Header Segment Segment Auth key Session key (+IV) PL 20: ChangeCipherSpec Protocol 21: Alert Protocol 22: Handshake Protocol 23: Application Protocol (HTTP, ….) 24: Heartbeat Protocol (DTLS; maybe also TLS) Figure: Checking the integrity of transmitted data 10 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography The #4 Crypto Primitives within TLS < 1.3: Cipher Suites • Crypto primitives used for the current session are provided as Cipher Suite. • The TLS protocol enumerates the sets fo crypto primitives. TLS _ KeyExchange+Authentication Encryption+Operational mode MAC RSA DH/DHE ECDH Null *RC4(_40/_56/_128) DES(_40/_56) 3DES_EDE(3) AES(_128/_256/_512) RC2(_128/_256) SEED CAMILLA ECB(default) CBC GCM Anonymous DH RSA RSA (Export) DSA DSS ECDSA Null MD5 SHA(1) SHA256 SHA384 *) Stream cipher; all others: Block ciphers _ _ Figure: TLS Cipher Suites [RFC 3268] CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 }; CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 }; CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 }; CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 }; CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A }; 11 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS < 1.3: Keymaterial and Keys • TLS uses a variety of hash functions to derive deterministically the PreMasterSecret and the Session keys from the input material. • Hash functions are used to ’diffuse’ the input and thus pseudo random sequences with significant entropy are the result. • This is called a ’Pseudo Random Function’ PRF. ServerRandom ClientRandom 'A' SHA MD5 PreMasterSecret Hash SHA SHA MD5 PreMasterSecret Hash PreMasterSecret Hash MD5 Hash Hash Hash Hash Hash Hash PreMasterSecret ServerRandom ClientRandom 'BB' PreMasterSecret ServerRandom ClientRandom 'CCC' Hash Hash Hash 3 * 128 bit } } } MAC Secret Session Secret IV Client Server Client Server Client Server Initialisation vector IV: a) For Stream ciphers - or - b) for CBC/GCM operation mode PreMasterSecret Figure: Generating the PreMaster and the Session secrets → Given RSA encryption, the only ’random’ number is the client’s random provided during the handshake. For Diffie-Hellman, client and server deliver a random value. 12 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS < 1.3: Weaknesses • Backward compatibility with ancient SSL 2.0 (older versions): Renegotiation. • ’Export ciphers’ suited for NSA de-cryption. • Control messages (Alerts, CCS) transmitted in clear text. • No particular state model, thus attacker can interrogate at any point. • Some Cipher suites (in particular with CBC) are weak or even bad. • Very little control on negotiated Cipher suites (mod_ssl). • Handshake is slow. • Session Resumption with persistent data. • Handshake can be broken up (MitM). • MtE delivery valuable information for a hacker given its data decryption. → TLS (as successor of SSL) is broken by design; it is ’just’ working and deployed ... everywhere. 13 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS 1.3 – Summary After years of discussion, the IETF released TLS 1.3 in RFC 8446 (and RFC 8447. • The TLS 1.3 core is a complete redesign. • Compatibility with older TLS version is provided supporting its ’skeleton’ behaviour and faking a TLS 1.2 handshake. • As already used in previous TLS releases, TLS 1.3 uses the ’Hello Message’ to transport the new parameters. • ECDHE key exchange is mandatory and the only one! • TLS uses only a very restricted set of Cipher Suites. • Those Ciphers Suites (apart from AES and GCM) are mainly based on Dan Bernstein’s developments. • TLS 1.3 protects the negotiated data as soon as it is possible during the handshake. • ’Early’ Application Data can be transmitted in the handshake. • The handshake in TLS 1.3 is much more efficient and – using Session Resumption – provides a 0RTT capability. → Though trying to cope with older TLS versions, TLS 1.3 is a different beast. Some ’Middleboxes’ don’t allow to let the TLS 1.3 traffic through, since it does not look like as expected. 14 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS 1.3 – Handshake The TLS 1.3 is much more efficient using an early encryption scheme. Internet (TLS) Server (TLS) Client 1 Finished (HKDF/Handshake) Message 2a TCP Session established a) Version = 3.3, Random, Nonce, Cipher Suites, C = 0, ClientHello Version = 3.3, Random, SessionID, Cipher Suite, C = 0, ServerHello Certificate Verify (signature TH) Certificate 3 Finished (HKDF/Handshake) Generates Master & Session keys TLS Connection Verifies Certificate Generates Master & Session keys Internet (TLS) Server (TLS) Client 1 Finished (HKDF/Handshake) Message TCP Session established b) Certificate Verify (signature TH) Certificate Finished (HKDF/Handshake) TLS Connection Certificate Request Certificate Certificate Verify (signature TH) Version = 3.3, Random, Nonce, Cipher Suites, C = 0, ClientHello Version = 3.3, Random, SessionID, Cipher Suite, C = 0, ServerHello Key Exchange Authentication Message 2b 2c 2d 2a 2b 2c 2d 2e 3a 3c 3b Extensions: ’x304’, ALPN Extensions: ’x304’, ADP Extensions: ’x304’, ALPN Extensions: ’x304’, ADP en- crypted en- crypted HKDF(shared secret,“s/c hs traffic“,TH) HKDF(shared secret,“c/s app traffic …“,TH) Traffic key Application key Figure: TLS 1.3 Handshake; (a) without and (b) with Client Certificate Request; ALPN: Application Layer Protocol Notifications Only three messages are exchanged: Client → Server The (unencrypted) Client Hello message. Server → Client The Server Hello message: The first part including protocol artefacts in clear text; the further parts are encrypted with a provisional secret (Traffic Key) covering in particular the X.509 cert. Client → Server The encrypted Finish message, telling that the Application Key is ready for use. 15 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS 1.3 – Cipher Suites TLS _ KeyExchange+Authentication Encryption+Operational mode MAC ECDHE Null AES_128_GCM_SHA256 AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256 AES_128_CCM_SHA256 AES_128_CCM_8_SHA256 SHA-256 SHA-384 _ _ secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), x25519(0x001D), x448(0x001E) Figure: TLS 1.3 Cipher Suites CipherSuite TLS_AES_128_GCM_SHA256 {0x13,0x01} CipherSuite TLS_AES_256_GCM_SHA384 {0x13,0x02} CipherSuite TLS_CHACHA20_POLY1305_SHA256 {0x13,0x03} CipherSuite TLS_AES_128_CCM_SHA256 {0x13,0x04} CipherSuite TLS_AES_128_CCM_8_SHA256 {0x13,0x05} Note: CCM = Cipher Block Chaining - Message Authentication Code (CBC-MAC) → No particular Authentication method is indicated. Apart from PSK all Transcript Messages are authenticated requiring a valid server X.509 certificate. openssl ecparam -list_curves 16 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS 1.3 – Record Layer MAC Message(s) RL- Header Length (2 Byte) Version (2 Byte) Content type (1 Byte) encrypted (optional) Hashvalue MP PL Padding (optional) HMAC Application data Compression Segment MAC- calculation Encryption Record Layer Frame Record Layer Header Segment Segment a) b) Message(s) Length (2 Byte) Version = x’303’ Content type (1 Byte) Zero Application data Segment AEAD encryption Record Layer Frame Record Layer Header Segment Segment d) c) Padding optional Secret Nonce Additional data Content type Padding length (1 Byte) Figure: TLS 1.3 a) Record layer structure w and c) w/o MAC, b) Record with MAC, d) Record with AEAD 17 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS 1.3 – Keys HKDF-Extr. Handshake Secret Handshake Secret, „s hs traffic“, TSH(HelloMessages) Handshake Secret, „c hs traffic“, TSH(HelloMessages) HKDF-Extr. Master Secret Master Secret, „c ap traffic“, TSH(HelloMessages) Master Secret, „s ap traffic“, TSH(HelloMessages) Master Secret, „exp master“, TSH(HelloMessags) Master Secret, „res master“, TSH(HelloMessages) HKDF-Extr. Early Secret Early Secret, „c e traffic“, TSH(ClientHello) Early Secret, „ext binder | res binder“, „∅“ Early Secret, „e exp master“, TSH(ClientHello) (EC) DHE Secret Early Secret, „derive“, „∅“ Pre Shared Keys Handshake/Key Exchange Traffic En/Decryption binder key (Label) Client Early Traffic Secret Early Exporter Master Secret Client Traffic Handshake Secret Server Traffic Handshake Secret Client Application Traffic Secret_0 Server Application Traffic Secret_0 Exporter Master Secret PSK | 0 Resumption Master Secret 0 Derived Secret Derived Secret Handshake Secret, „derive“, „∅“ 0 none- deterministic Key Generation Pipeline Session Resumption PRF Exporter iterative key generation stateful key usage Figure: TLS 1.3 Key generating procedure using HKDF 18 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS 1.3 – PSK & 0RTT and Grease Session Resumption is possible within TLS 1.3 provided, both client and server store the negotiated secret (per- sistently): Pre-shared Keys (PSK). The PSK secret is indicated in the Client Hello message providing a hash of the PSK and coupled with the identity of the client. → In this case, a TLS session can lit- erally succeed in one step, thus 0-RTT. However, this breaks Perfect Forward Secrecy (PFS) Grease: Generate Random Extensions And Sustain Extensibility can applied by client or server to ’test’ the counter- parts TLS 1.3 capabilities indicating ’invalid’ Cipher Suites in the Hello message. Internet (TLS) Server (TLS) Client 1 Message 2 TCP Session established Versions= 3.3, Random, Nonce, Cipher Suites, Compression = 0 ClientHello Version = 3.3, Random, SessionID, Cipher Suite, Compression = 0 ServerHelloRetry Supported Vers: … Key Share Hello Retry Request: x25519 Supported Vers: ’x304’ Grease Supported Groups: x25519, secp256r1, … Key Share Entry: Grease Key Share Entry: x25519 cd34bb1ac39…. Extensions matching k Finished (HKDF/Handshake) TLS Connection 3 Ticket Lifetime, Ticket Age Ticket Nonce, Ticket …., Extensions New Session Ticket Stores PSK-Label & Session keys Figure: TLS 1.3 using Pre-shared Keys 19 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography TLS 1.3 – 1RTT Session establishment can be acceler- ated in case both client and server don’t need to negotiate the Cipher, but rather provide a quick focus: 1-RTT. In this case, the client indicates to the server to know already the (otherwise transmitted) DH-Params and the cho- sen curve (for ECC) for a quick negoti- ation. → However, the server may have changed its DH-Params, thus this pro- cedure would not work out. Rather, in this case, the server sends a Hello Retry message telling the new DH- Params. This procedure obviously does not violate PFS, since only protocol artefacts are provided by the client. Internet (TLS) Server (TLS) Client 1a Message 2a TCP Session established Versions= 3.3, Random, Nonce, Cipher Suites, Compression = 0 ClientHello Version = 3.3, Random, SessionID, Cipher Suite, Compression = 0 ServerHelloRetry Supported Vers: … Key Share Entry: x25519 Key Exchange: ef1bc93.. Extensions 2b Application Data (23) matching 1b Early Data (23) Key Share Entry: x25519 cd34bb1ac39…. PSK Kex Exchange Modes: psk_dhe_ke PSK Identity: identity, obfuscated ticket age PSK Binder: HMACs Offered PSK: identity, binders Figure: TLS 1.3 using 1-RTT message exchange 20 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography Commercial spot AUTOREN HEADLINE Inklusive: Kapitel zum Internet of Things anatol BADACH erwin HOFFMANN Technik der IP-NETZE INTERNET-KOMMUNIKATION IN THEORIE UND EINSATZ 4. Aufl age Figure: Technik der IP-Netze (4th edition) 21 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography Implementation OpenSSL 1.1.0: • Install OpenSSL 1.1.1 on OmniOSce – however without overwriting previous Libs. • How to tell which OpenSSL is installed? fehQlibs + ucspi-ssl: • Install fehQlibs (under /usr/local). • Install ucspi-ssl using fehQlibs and OpenSSL 1.1.1. • How can you tell that OpenSSL 1.1.1 is in use for a client/server? testssl: • Install Dirk Wetter’s ssltest from https://github.com/drwetter/testssl.sh • Test TLS 1.3. for some sites (including Google and fehcom). WireShark: • Install WireShark (> 2.5). • Record a TLS 1.3 connection setup and do an interpretation of the negotiation. 22 / 23 

History Crypto Primitives TLS < 1.3 Hands on Bibliography Bibliography • RFC 8446 • RFC 8447 • https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08 23 / 23