Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ConFoo 2018: Gentle introduction to SSL/TLS, ce...

ConFoo 2018: Gentle introduction to SSL/TLS, certificates, and TLS 1.3

TLS is the most important and widely-used protocol for secure and encrypted communication, e.g. HTTPS. It offers more than just encryption. TLS also ensures data integrity and strong authentication with X.509 certificates. Did you ever wonder how TLS and CAs actually work? I'll give you the rundown of the basic cryptographic building blocks, protocol handshake, inner structure of certificates, PKI, and what's new in TLS 1.3.

https://confoo.ca/en/yul2018/session/gentle-introduction-to-ssl-tls-certificates-and-tls-1-3

Christian Heimes

March 07, 2018
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. Gentle introduction to SSL/TLS, certifcates, and TLS 1.3 ConFoo 2018

    / Montreal Christian Heimes Senior Software Engineer [email protected] / [email protected] @ChristianHeimes
  2. ConFoo Montreal 2018 2 Who am I? • from Hamburg/Germany

    • Linux user since 1997 • Python and C developer • Python core developer since 2008 • maintainer of ssl and hashlib module • Python security team • Contributor to OpenSSL
  3. ConFoo Montreal 2018 3 Professional life • Senior Software Engineer

    at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI • Custudia secrets management
  4. ConFoo Montreal 2018 5 Agenda • history • high level

    view • cryptography 101 • TLS handshake • certs & PKI • TLS 1.3 • books & resources
  5. ConFoo Montreal 2018 9 TLS has exactly one performance problem:

    it is not used widely enough. Everything else can be optimized. https://istlsfastyet.com/
  6. ConFoo Montreal 2018 10 Troy Hunt, I wanna go fast:

    HTTPS' massive speed advantage https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/
  7. ConFoo Montreal 2018 11 Troy Hunt, I wanna go fast:

    HTTPS' massive speed advantage https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/
  8. ConFoo Montreal 2018 12 Reasons to deploy TLS • Privacy

    • Security (Ad / Malware injection • Performance (HTTP/2) • SEO • User Experience (password warning)
  9. ConFoo Montreal 2018 15 Secure Sockets Layer / Transport Layer

    Security • SSL 1.0 – never released • SSL 2.0 – 1995 • SSL 3.0 – 1996 • TLS 1.0 – 1999 • TLS 1.1 – 2006 • TLS 1.2 – 2008 • TLS 1.3 – 2014, 2015, 2016, 2017, 2018?
  10. ConFoo Montreal 2018 17 Attacks • Bleichenbacher (1998), ROBOT (2018),

    CCA2 • Renegotiation (2009) • BEAST (2011), TLS 1.0 CBC IV • POODLE (2014), padding oracle • CRIME, TIME, BREACH (2012-13), compression • Heartbleed (2014), OpenSSL • FREAK, Logjam (2015), downgrade • SLOTH, SWEET32 (2016), weak crypto RFC 7457 “Summarizing Known Attacks on TLS and DTLS”
  11. ConFoo Montreal 2018 18 Libraries • OpenSSL • LibreSSL (OpenBSD,

    partly incompatible fork) • BoringSSL (Google, API incompatible fork) • NSS (Mozilla Firefox) • SChannel (Microsoft) • Secure Transport (Apple) • more: GnuTLS, Java JSSE, Go crypto/tls, kTLS
  12. ConFoo Montreal 2018 22 Wikipedia defnition Transport Layer Security (TLS)

    – and its predecessor, Secure Sockets Layer (SSL) – are cryptographic protocols that provide communications security over a computer network. The TLS protocol aims primarily to provide privacy and data integrity between two communicating computer applications.
  13. ConFoo Montreal 2018 23 TLS core features • encrypted transport

    stream • application protocol agnostic • integrity check • replay attack protection • strong authentication of server • strong authentication of client (optional) • extensible protocol
  14. ConFoo Montreal 2018 24 TLS standard • IETF standard (Internet

    engineering task force) • IANA (Internet assigned number authority) • TLS (TCP) / DTLS (UDP) • ASN.1 • PKI with X.509 certifcates
  15. ConFoo Montreal 2018 26 Cryptographically secure hash functions Hash functions

    for MAC, signatures, and more. • MD5 • SHA (SHA1) • SHA2 • SHA-256 • SHA-384
  16. ConFoo Montreal 2018 27 Symmetric-key algorithm (bulk encryption) Same key

    for encryption and decryption. • DES • Triple DES (3DES) • RC4 • AES (AES-128, AES-256) • CHACHA20
  17. ConFoo Montreal 2018 30 Symmetric-key algorithm (2) • Padding •

    Mode of operation • CBC • GCM • Authenticated encryption • CBC with MtE • AEAD (GCM, Poly1305)
  18. ConFoo Montreal 2018 31 Asymmetric cryptographic algorithms public / private

    key cryptography • asymmetric encryption • signatures • key agreement
  19. ConFoo Montreal 2018 33 Asymmetric encryption public key encrypts, private

    key decrypts • ElGamal encryption • RSA encryption (PKCS#1) • RSAES-PKCS1-v1.5 • RSAES-OAEP
  20. ConFoo Montreal 2018 34 Asymmetric signatures private key signs hash

    of message message, public key verifes • RSA signature (PKCS#1) • RSASSA-PKCS1-v1.5 • RSAES-PSS • DSS (DSA) • ECDSA (secp256r1, secp384r1, …) • EdDSA (Edward Curve25519, …)
  21. ConFoo Montreal 2018 35 Key agreement protocol own private key

    + peer's public = key • fnite feld Diffe-Hellman (DH) • elliptic curve Diffe-Hellman (ECDH) • ephemeral DH / ECDH
  22. ConFoo Montreal 2018 36 Misc • random numbers generator (CPRNG)

    • HMAC • Key Derivation Function (KDF) • Key Wrapping (KW) • …
  23. ConFoo Montreal 2018 37 Cryptographic building blocks • key agreement

    / exchange • authentication algorithm • bulk encryption (symmetric) • cipher mode • one-way function for message authentication (MAC)
  24. ConFoo Montreal 2018 40 TLS handshake with RSA key exchange

    DNS lookup TCP handshake ClientHello Supported cipher suites max version, client random, ... ServerHello select cipher suite version, server random, ... Certifcate Chain ServerHelloDone Finish MAC of handshake message ChangeCipherSpec ClientKeyChange RSA encrypted pre-master secret Finish MAC of handshake message ChangeCipherSpec HTTP GET (verify mac)
  25. ConFoo Montreal 2018 42 TLS handshake with RSA key exchange

    ✔ negotiate TLS version ✔ negotiate cipher suite ✔ validate server cert chain ✔ replay protection: MAC client/server random ✗ no forward secrecy
  26. ConFoo Montreal 2018 43 TLS handshake with Diffe-Hellman ClientHello Supported

    cipher suites max version, client random, ... ServerHello select cipher suite version, server random, ... Certifcate Chain ServerHelloDone ClientKeyChange Diffe-Hellman server params Finish MAC of handshake message ChangeCipherSpec Finish MAC of handshake message ChangeCipherSpec HTTP GET (verify mac) ServerKeyExchange Diffe-Hellman server params Signature
  27. ConFoo Montreal 2018 45 Ephemeral Diffe-Hellman ✔ negotiate TLS version

    ✔ negotiate cipher suite ✔ validate server cert chain ✔ replay protection: MAC client/server random ✔ perfect forward secrecy ✗ actually no PFS…
  28. ConFoo Montreal 2018 47 X.509 certifcates • ASN.1 • CER/DER:

    binary ASN.1 • PEM: base64 encoded ASN.1 + header/footer • P12, PFX: PKCS#12 safe bags • cert / private key pair • content • public key • metadata • extensions • issuer signature
  29. ConFoo Montreal 2018 48 Fields • Version (3) • Serial

    number • Subject • Issuer • Validity • notBefore • notAfter • Subject Public Key Information • algorithm • public key • X509v3 extensions
  30. ConFoo Montreal 2018 49 X509v3 extensions • Basic Constraints •

    Key Usage • Extended Key Usage • Subject Alternative Name • Subject Key ID & Authority Key ID • CRL distribution point • Authority Information Access (OCSP, parent CA) • Certifcate Policy & Naming Policy • SCT (Certifcate Transparency) • ...
  31. ConFoo Montreal 2018 50 Certifcate types • trust anchors (root

    CA certs) • intermediate CA certs • end-entity certs • server • client • code signing • email • CRL/OCSP signing • ... root CA self-signs intermediate CA 1 intermediate CA 2 signs end-entity cert signs signs
  32. ConFoo Montreal 2018 51 Certifcate types (2) • root CA

    • Basic Constraints: CA True, no pathlen restriction • Key Usage: cert signer, CRL signer • intermediate CA certs • Basic Constraints: CA True, pathlen: …, 3, 2, 1 • Key Usage: cert signer, CRL signer • end-entity certs • Basic Constraints: CA False • Key Usage: Digital Signature, Key Encipherment • Extended Key Usage: TLS server • Subject Alternative Name: dNSName:www.confoo.ca
  33. ConFoo Montreal 2018 53 Hostname matching Certificate: Data: Version: 3

    (0x2) Serial Number: 3e:34:3f:eb:af:8f:9d:06:cd:da:51:bf:21:47:98:3c Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3 Validity Not Before: Feb 15 00:00:00 2016 GMT Not After : Feb 14 23:59:59 2019 GMT Subject: C = CA, ST = Quebec, L = Boisbriand, O = Conf\C3\A9rence Php Qu\C3\A9bec, OU = CONFOO, CN = *.confoo.ca ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.confoo.ca, DNS:confoo.ca Certificate: Data: Version: 3 (0x2) Serial Number: 3e:34:3f:eb:af:8f:9d:06:cd:da:51:bf:21:47:98:3c Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3 Validity Not Before: Feb 15 00:00:00 2016 GMT Not After : Feb 14 23:59:59 2019 GMT Subject: C = CA, ST = Quebec, L = Boisbriand, O = Conf\C3\A9rence Php Qu\C3\A9bec, OU = CONFOO, CN = *.confoo.ca ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.confoo.ca, DNS:confoo.ca
  34. ConFoo Montreal 2018 56 TLS alert • close_notify • handshake

    failure • no ciphers available • unknown_ca • decryption_failed • …
  35. ConFoo Montreal 2018 57 TLS extensions • heart beat •

    server name indication (virtual hosting) • ALPN (HTTP/2) • session resumption • signature algorithms • supported groups (ECDH curves)
  36. ConFoo Montreal 2018 58 TLS handshake with session resumption ClientHello

    Supported cipher suites max version, client random, … Session Ticket ServerHello select cipher suite version, server random, ... Finish MAC of handshake message ChangeCipherSpec Finish MAC of handshake message ChangeCipherSpec HTTP GET Finish MAC of handshake message ChangeCipherSpec NewSessionTicket
  37. ConFoo Montreal 2018 59 Session resumption • session ticket contains

    encrypted key • ticket encrypted with server's Session Ticket Key • STK is a shared key • browsers usually request session resumption • server sends ticket in frst request • bad design • ticket is not TLS encrypted • current master key!
  38. ConFoo Montreal 2018 63 Kill all the bad crypto! •

    RC4, 3DES, AES-CBC • MD5, SHA1 • NULL ciphers • arbitrary DH groups and curves • static RSA authentication • renegotiation • compression • PKCS#1 v1.5 • MAC then Encrypt
  39. ConFoo Montreal 2018 64 New modern crypto • Elliptic Curve

    Crypto • Edwards Curve (Ed25519) • Curve25519, X25519 • authenticated encryption (AEAD) • AES-GCM • CHACHA20-Poly1305 • mandatory Diffe-Hellman PFS → • no “out-of-band TLS decryption” • RSAES-PSS signatures
  40. ConFoo Montreal 2018 65 Protocol improvements • Cipher negotiation protected

    by Finish MAC (LogJam) • Separation of key agreement, ciphers, authentication • Cipher suites • TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256 • TLS extensions • signature_algorithms, cert_signature_algorithms, elliptic_curves • Session resumption with PSK-ECDHE • after Finish, TLS encrypted, next master key • Encrypted Post-Handshake auth (client cert)
  41. ConFoo Montreal 2018 66 TLS 1.3 with 1-RTT handshake ClientHello

    Supported ciphers, groups, signatures supported versions SNI Key Share ServerHello select cipher, group, signature Key Share Certifcate Chain Finish MAC & Signature ChangeCipherSpec Finish MAC HTTP GET ChangeCipherSpec
  42. ConFoo Montreal 2018 68 Hacks • Middlebox compatibility mode •

    Version: TLSv1.2 • TLS ext: supported_version 0x304 • Downgrade protection in server random • = TLSv1.2 DOWNGRD\x00 • < TLSv.1.2 DOWNGRD\x01 • HelloRetryRequest random SHA256(“HelloRetryRequest”)
  43. ConFoo Montreal 2018 69 TLS 1.3 with 2-RTT retry handshake

    ClientHello Supported ciphers, groups, signatures supported versions Key Share ServerHello select cipher, group, signature Key Share Certifcate Chain Finish MAC HTTP GET Finish MAC & Signature ChangeCipherSpec ChangeCipherSpec HelloRetryRequest select cipher, group, signature Cookie ClientHello Cookie New Key Share
  44. ConFoo Montreal 2018 70 TLS 1.3 with 0-RTT early data

    ClientHello PSK + PSK mode Key Share ServerHello PSK Key Share Finish MAC & Signature NewSessionTicket PSK Early data HTTP GET Early data HTTP Response Finish MAC TLS Alert close_notify
  45. ConFoo Montreal 2018 71 0-RTT caveats • Replay attack •

    No forward secrecy Applications must defne a profle for early data
  46. ConFoo Montreal 2018 76 Resources • https://www.ssllabs.com/ssltest/ • https://istlsfastyet.com/ •

    Deploying TLS 1.3: the great, the good and the bad (33c3) https://www.youtube.com/watch?v=0opakLwtPWk