What's new in TLS 1.3 (ConFoo 2019)

Transcript

1. What’s new in TLS 1.3 Marcus Bointon Technical director, Synchromedia

   Limited Smartmessages.net Radically Open Security

2. Marcus Bointon | @SynchroM What’s new in TLS 1.3 What

   is TLS? ❖ Transport Layer Security - TLS ❖ Defines a standard (RFC) framework - not an implementation ❖ Provides confidentiality through encryption ❖ Provides authentication ❖ Protects integrity, prevents tampering - Validation / verification / signatures ❖ Many implementations: OpenSSL, LibreSSL, BearSSL, BoringSSL, GnuTLS, Secure Transport (macOS) ❖ Used in HTTPS, SMTP, IMAP, POP3, FTPS, VPNs etc

3. Marcus Bointon | @SynchroM What’s new in TLS 1.3 What’s

   in a name? ❖ The “new” name for SSL (since 1999!) ❖ SSLv2, SSLv3… ❖ TLSv1.0, TLSv1.1, TLSv1.2… ❖ Much bikeshedding: TLSv1.3? TLSv2.0? SSLv4? SSLv5? ❖ TLSv1.3 a.k.a. RFC 8446

4. Marcus Bointon | @SynchroM What’s new in TLS 1.3 What

   needed to change? ❖ Previous specs mostly additive - legacy cruft! ❖ Inefficiency, performance ❖ Complexity ❖ Easy to implement insecurely ❖ HTTP/2

5. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Out

   with the old ❖ Legacy ciphers: ❖ RC4, export ciphers, CBC mode ❖ Compression, renegotiation ❖ RSA key exchange ❖ MD5, SHA-1 hash ❖ Arbitrary Diffie-Hellman groups

6. Marcus Bointon | @SynchroM What’s new in TLS 1.3 In

   with the new ❖ AEAD ciphers only ❖ PFS-only ❖ Reduced round-trip overhead ❖ All handshake messages encrypted after ServerHello ❖ ECC in base spec ❖ Downgrade protection

7. Marcus Bointon | @SynchroM What’s new in TLS 1.3 A

   difficult delivery ❖ TLS 1.3 initial drafts in 2016 ❖ I gave a talk on this same subject in 2017 — 1.3 was “imminent” ❖ Finance industry wanted back doors for “middleboxes” ❖ Took so long, some products released with incompatible draft spec ❖ Finally released in August 2018 ❖ OpenSSL 1.1.1 adds support September 2018

8. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

   Hashes ❖ “One-way” encryption ❖ Integrity checking, file comparison, passwords ❖ Old: MD5, SHA-1 ❖ Fast: SHA-2 (256, 384, 512), SHA-3 ❖ Slow: bcrypt, Argon2 for passwords - not in TLS ❖ Anybody can generate one

9. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

   MACs ❖ Message Authentication Code - Digital Signature ❖ Ensures integrity & authenticity ❖ Like a hash, but adds a key ❖ HMAC algorithm does exactly that ❖ Only key holders can generate a MAC ❖ HMAC-SHA256 ❖ Poly1305

10. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

    Ciphers ❖ Algorithms for encryption ❖ Symmetric ❖ Only private keys - fast; AES, ChaCha20 ❖ Asymmetric ❖ Public & private keys - slow; RSA, ECDSA ❖ Stream (ChaCha20) & block (AES) ❖ AEAD ciphers: AES-GCM, AES-CCM, ChaCha20-Poly1305

11. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Components:

    Key Exchange ❖ Enable the switch from asymmetric to symmetric ciphers by passing a private key safely ❖ x25519, x448 ❖ Diffie-Hellman “DH” ❖ Ephemeral keys “E” ❖ Elliptic curves “EC” ❖ PFS - “Perfect Forward Secrecy”

12. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Cipher

    suites ❖ Sets of KX, ciphers and signature ❖ 1.2: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ❖ 1.3: TLS_CHACHA20_POLY1305_SHA256 ❖ Client lists options, server chooses* ❖ Server needs a range to support different clients ❖ Typically set in web server config - nginx, apache

13. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    Overhead (Bad)

14. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    Overhead (Good)

15. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.2 handshake Key Share Client Finished Server Finished HTTP Request HTTP Response ServerHello Cipher Suite Key Share Certificate & Signature ClientHello Cipher list 50ms 300ms

16. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.3 handshake ClientHello Cipher List Key Share ServerHello Cipher Suite Key Share Certificate & Signature Server Finished Client Finished HTTP Request HTTP Response 200ms

17. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.2 resumption ClientHello Session ID or Ticket ServerHello Server Finished Client Finished HTTP Request HTTP Response 200ms

18. Marcus Bointon | @SynchroM What’s new in TLS 1.3 TLS

    1.3 resumption ClientHello Session ticket Key Share HTTP GET ServerHello Key Share Server Finished HTTP Response 0-RTT!

19. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Downgrade

    protection ❖ Common attack vector during initial connection ❖ 1.3 client -> 1.3 server ❖ MITM attacker downgrades to 1.2 (or lower) ❖ Magic “sentinel” bytes in random value of response to ClientHello allows downgrade to be spotted 44 4F 57 4E 47 52 44 D O W N G R D

20. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Deploying

    TLS 1.3 (Nginx) ❖ Nginx >1.13.0 supports TLS 1.3 ❖ ssl_protocols TLSv1.3; ❖ ssl_ciphers TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384; ❖ Disable anything you don’t need - match audience ❖ Outsource to CDNs like CloudFlare

21. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Testing

    TLS ❖ For all TLS versions ❖ Qualys SSL Labs ❖ testssl.sh ❖ securityheaders.io ❖ Automate security checks: ❖ hardenize.com, se.cr

22. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Can

    you use TLSv1.3? ❖ Yes! ❖ Browsers ❖ Critical libraries & servers ❖ Some services can help you - CloudFlare, Akamai ❖ Corporate firewalls can be troublesome

23. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Understanding

    TLS ❖ Tons of resources ❖ https://tls13.ulfheim.net ❖ https://www.davidwong.fr/tls13/ ❖ CloudFlare, Akamai, Fastly

24. Marcus Bointon | @SynchroM What’s new in TLS 1.3 Thank

    you! ❖ Marcus Bointon ❖ [email protected] ❖ @SynchroM ❖ Github & Stack Exchange: Synchro