What's new in TLS 1.3

Transcript

1. What’s new in TLS 1.3 Marcus Bointon Technical director, Synchromedia

   Limited & Smartmessages.net

2. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 What is TLS? ❖ Transport Layer Security - TLS ❖ Defines a standard (RFC) framework - not an implementation ❖ Prevents eavesdropping - Encryption ❖ Prevents forgery - Authentication ❖ Prevents tampering - Validation / verification ❖ Many implementations: OpenSSL, LibreSSL, BearSSL, BoringSSL, GnuTLS, Secure Transport (macOS) ❖ Used in HTTPS, SMTP, IMAP, POP3, FTPS, VPNs etc

3. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 What’s in a name? ❖ The “new” name for SSL (since 1999!) ❖ SSLv2, SSLv3… ❖ TLSv1.0, TLSv1.1, TLSv1.2… ❖ Much bikeshedding: TLSv1.3? TLSv2.0? SSLv4? SSLv5? ❖ TLSv1.3

4. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 Components: Hashes ❖ “One-way” encryption ❖ Integrity checking, file comparison, passwords ❖ Old: MD5, SHA-1 ❖ Fast: SHA-2 (256, 384, 512), SHA-3 ❖ Slow: bcrypt, Argon2 for passwords - not in TLS ❖ Anybody can generate one

5. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 Components: MACs ❖ Message Authentication Code - Digital Signature ❖ Ensures integrity & authenticity ❖ Like a hash, but adds a key ❖ HMAC algorithm does exactly that ❖ Only key holders can generate a MAC ❖ HMAC-MD5, HMAC-SHA256 ❖ Poly1305

6. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 Components: Ciphers ❖ Computationally prohibitively expensive algorithms ❖ Symmetric ❖ Only private keys - fast; AES, ChaCha20 ❖ Asymmetric ❖ Public & private keys - slow; RSA, ECDSA ❖ Stream (ChaCha20) & block (AES) ❖ AEAD ciphers: AES-GCM, AES-CCM, ChaCha20-Poly1305

7. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 Components: Key Exchange ❖ Manage the switch from asymmetric to symmetric ciphers by passing a private key safely ❖ RSA ❖ Diffie-Hellman “DH” ❖ Ephemeral keys “E” ❖ PFS - “Perfect Forward Secrecy”

8. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 Cipher suites ❖ Sets of KX, ciphers and signature ❖ 1.2: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ❖ 1.3: TLS_CHACHA20_POLY1305_SHA256 ❖ Client lists options, server chooses ❖ Server needs a range to support different clients ❖ Typically set in web server config - nginx, apache

9. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

   1.3 What needed to change? ❖ Previous specs mostly additive - legacy cruft! ❖ Old, bad ciphers, hashes, KX, extensions ❖ Inefficiency, performance ❖ Complexity ❖ Easy to implement insecurely ❖ HTTP/2

10. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 Out with the old ❖ Legacy ciphers: ❖ RC4, export ciphers, CBC mode ❖ Compression, renegotiation ❖ RSA key exchange ❖ MD5, SHA-1 hash ❖ Arbitrary Diffie-Hellman groups

11. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 In with the new ❖ AEAD ciphers only ❖ PFS-only ❖ Reduced round trip overhead ❖ All handshake messages encrypted after ServerHello ❖ ECC now in base spec ❖ Downgrade protection

12. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 TLS Overhead

13. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 TLS Overhead

14. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 TLS 1.2 handshake Key Share Client Finished Server Finished HTTP Request HTTP Response ServerHello Cipher Suite Key Share Certificate & Signature ClientHello Cipher list 50ms 300ms

15. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 TLS 1.3 handshake ClientHello Cipher List Key Share ServerHello Cipher Suite Key Share Certificate & Signature Server Finished Client Finished HTTP Request HTTP Response 200ms

16. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 TLS 1.2 resumption ClientHello Session ID or Ticket ServerHello Server Finished Client Finished HTTP Request HTTP Response 200ms

17. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 TLS 1.3 resumption ClientHello Session ticket Key Share HTTP GET ServerHello Key Share Server Finished HTTP Response 0-RTT!

18. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 Downgrade protection ❖ Common attack vector during initial connection ❖ 1.3 client -> 1.3 server ❖ MITM attacker downgrades to 1.2 (or lower) ❖ Magic “sentinel” bytes in random value of response to ClientHello allows downgrade to be spotted 44 4F 57 4E 47 52 44 D O W N G R D

19. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 Deploying TLS 1.3 (Nginx) ❖ STOP PRESS: Nginx 1.13.0 supports TLS 1.3! ❖ ssl_protocols TLSv1.3; ❖ ssl_ciphers TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384; ❖ Disable anything you don’t need - match audience ❖ Outsource to CDNs like CloudFlare

20. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 Testing TLS ❖ For all TLS versions ❖ Qualys SSL Labs ❖ testssl.sh ❖ securityheaders.io ❖ Automate security checks: ❖ hardenize.com, se.cr

21. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 Can you use TLSv1.3? ❖ Yes! ❖ Development browsers already have it ❖ Development builds of several libraries & servers already have it ❖ Support now in nginx! ❖ No! ❖ It’s not production-ready yet ❖ But some services can help you - CloudFlare

22. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 Questions

23. Craft Conference 2017 Budapest Marcus Bointon What’s new in TLS

    1.3 Thank you! ❖ Marcus Bointon ❖ [email protected] ❖ @SynchroM, [email protected] ❖ Github & Stack Overflow: Synchro