Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's new in TLS 1.3 (ConFoo 2019)

What's new in TLS 1.3 (ConFoo 2019)

TLS encryption is an important part of websites, service and app deployment, and plays a vital role in protecting data in transit. TLS 1.2 has been around since 2008, and it's being replaced by the excitingly-named TLS 1.3. This talk will give you a rundown on the shortcomings of TLS 1.2 and earlier versions, how and why 1.3 changes things, and what changes you may need to make in your deployments to take advantage of the 1.3 enhancements.

B4814d6790e91f01c77cac9d25db12b6?s=128

Marcus Bointon

March 15, 2019
Tweet

Transcript

  1. What’s new in TLS 1.3 Marcus Bointon Technical director, Synchromedia

    Limited Smartmessages.net Radically Open Security
  2. Marcus Bointon | @SynchroM What’s new in TLS 1.3 What

    is TLS? ❖ Transport Layer Security - TLS ❖ Defines a standard (RFC) framework - not an implementation ❖ Provides confidentiality through encryption ❖ Provides authentication ❖ Protects integrity, prevents tampering - Validation / verification / signatures ❖ Many implementations: OpenSSL, LibreSSL, BearSSL, BoringSSL, GnuTLS, Secure Transport (macOS) ❖ Used in HTTPS, SMTP, IMAP, POP3, FTPS, VPNs etc
  3. Marcus Bointon | @SynchroM What’s new in TLS 1.3 What’s

    in a name? ❖ The “new” name for SSL (since 1999!) ❖ SSLv2, SSLv3… ❖ TLSv1.0, TLSv1.1, TLSv1.2… ❖ Much bikeshedding: TLSv1.3? TLSv2.0? SSLv4? SSLv5? ❖ TLSv1.3 a.k.a. RFC 8446
  4. Marcus Bointon | @SynchroM What’s new in TLS 1.3 What

    needed to change? ❖ Previous specs mostly additive - legacy cruft! ❖ Inefficiency, performance ❖ Complexity ❖ Easy to implement insecurely ❖ HTTP/2
  5. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Out

    with the old ❖ Legacy ciphers: ❖ RC4, export ciphers, CBC mode ❖ Compression, renegotiation ❖ RSA key exchange ❖ MD5, SHA-1 hash ❖ Arbitrary Diffie-Hellman groups
  6. Marcus Bointon | @SynchroM What’s new in TLS 1.3 In

    with the new ❖ AEAD ciphers only ❖ PFS-only ❖ Reduced round-trip overhead ❖ All handshake messages encrypted after ServerHello ❖ ECC in base spec ❖ Downgrade protection
  7. Marcus Bointon | @SynchroM What’s new in TLS 1.3 A

    difficult delivery ❖ TLS 1.3 initial drafts in 2016 ❖ I gave a talk on this same subject in 2017 — 1.3 was “imminent” ❖ Finance industry wanted back doors for “middleboxes” ❖ Took so long, some products released with incompatible draft spec ❖ Finally released in August 2018 ❖ OpenSSL 1.1.1 adds support September 2018
  8. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

    Hashes ❖ “One-way” encryption ❖ Integrity checking, file comparison, passwords ❖ Old: MD5, SHA-1 ❖ Fast: SHA-2 (256, 384, 512), SHA-3 ❖ Slow: bcrypt, Argon2 for passwords - not in TLS ❖ Anybody can generate one
  9. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

    MACs ❖ Message Authentication Code - Digital Signature ❖ Ensures integrity & authenticity ❖ Like a hash, but adds a key ❖ HMAC algorithm does exactly that ❖ Only key holders can generate a MAC ❖ HMAC-SHA256 ❖ Poly1305
  10. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

    Ciphers ❖ Algorithms for encryption ❖ Symmetric ❖ Only private keys - fast; AES, ChaCha20 ❖ Asymmetric ❖ Public & private keys - slow; RSA, ECDSA ❖ Stream (ChaCha20) & block (AES) ❖ AEAD ciphers: AES-GCM, AES-CCM, ChaCha20-Poly1305
  11. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

    Key Exchange ❖ Enable the switch from asymmetric to symmetric ciphers by passing a private key safely ❖ x25519, x448 ❖ Diffie-Hellman “DH” ❖ Ephemeral keys “E” ❖ Elliptic curves “EC” ❖ PFS - “Perfect Forward Secrecy”
  12. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Cipher

    suites ❖ Sets of KX, ciphers and signature ❖ 1.2: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ❖ 1.3: TLS_CHACHA20_POLY1305_SHA256 ❖ Client lists options, server chooses* ❖ Server needs a range to support different clients ❖ Typically set in web server config - nginx, apache
  13. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    Overhead (Bad)
  14. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    Overhead (Good)
  15. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.2 handshake Key Share Client Finished Server Finished HTTP Request HTTP Response ServerHello Cipher Suite Key Share Certificate & Signature ClientHello Cipher list 50ms 300ms
  16. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.3 handshake ClientHello Cipher List Key Share ServerHello Cipher Suite Key Share Certificate & Signature Server Finished Client Finished HTTP Request HTTP Response 200ms
  17. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.2 resumption ClientHello Session ID or Ticket ServerHello Server Finished Client Finished HTTP Request HTTP Response 200ms
  18. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.3 resumption ClientHello Session ticket Key Share HTTP GET ServerHello Key Share Server Finished HTTP Response 0-RTT!
  19. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Downgrade

    protection ❖ Common attack vector during initial connection ❖ 1.3 client -> 1.3 server ❖ MITM attacker downgrades to 1.2 (or lower) ❖ Magic “sentinel” bytes in random value of response to ClientHello allows downgrade to be spotted 44 4F 57 4E 47 52 44 D O W N G R D
  20. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Deploying

    TLS 1.3 (Nginx) ❖ Nginx >1.13.0 supports TLS 1.3 ❖ ssl_protocols TLSv1.3; ❖ ssl_ciphers TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384; ❖ Disable anything you don’t need - match audience ❖ Outsource to CDNs like CloudFlare
  21. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Testing

    TLS ❖ For all TLS versions ❖ Qualys SSL Labs ❖ testssl.sh ❖ securityheaders.io ❖ Automate security checks: ❖ hardenize.com, se.cr
  22. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Can

    you use TLSv1.3? ❖ Yes! ❖ Browsers ❖ Critical libraries & servers ❖ Some services can help you - CloudFlare, Akamai ❖ Corporate firewalls can be troublesome
  23. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Understanding

    TLS ❖ Tons of resources ❖ https://tls13.ulfheim.net ❖ https://www.davidwong.fr/tls13/ ❖ CloudFlare, Akamai, Fastly
  24. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Thank

    you! ❖ Marcus Bointon ❖ marcus@synchromedia.co.uk ❖ @SynchroM ❖ Github & Stack Exchange: Synchro