ConFoo 2018: Gentle introduction to SSL/TLS, certificates, and TLS 1.3

Transcript

1. Gentle introduction to SSL/TLS, certifcates, and TLS 1.3 ConFoo 2018

   / Montreal Christian Heimes Senior Software Engineer [email protected] / [email protected] @ChristianHeimes

2. ConFoo Montreal 2018 2 Who am I? • from Hamburg/Germany

   • Linux user since 1997 • Python and C developer • Python core developer since 2008 • maintainer of ssl and hashlib module • Python security team • Contributor to OpenSSL

3. ConFoo Montreal 2018 3 Professional life • Senior Software Engineer

   at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI • Custudia secrets management

4. Agenda & Takeaways

5. ConFoo Montreal 2018 5 Agenda • history • high level

   view • cryptography 101 • TLS handshake • certs & PKI • TLS 1.3 • books & resources

6. Should I deploy TLS?

7. ConFoo Montreal 2018 7 Yes!

8. ConFoo Montreal 2018 8 Yes, you should!

9. ConFoo Montreal 2018 9 TLS has exactly one performance problem:

   it is not used widely enough. Everything else can be optimized. https://istlsfastyet.com/

10. ConFoo Montreal 2018 10 Troy Hunt, I wanna go fast:

    HTTPS' massive speed advantage https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/

11. ConFoo Montreal 2018 11 Troy Hunt, I wanna go fast:

    HTTPS' massive speed advantage https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/

12. ConFoo Montreal 2018 12 Reasons to deploy TLS • Privacy

    • Security (Ad / Malware injection • Performance (HTTP/2) • SEO • User Experience (password warning)

13. History

14. ConFoo Montreal 2018 14 3 < 1

15. ConFoo Montreal 2018 15 Secure Sockets Layer / Transport Layer

    Security • SSL 1.0 – never released • SSL 2.0 – 1995 • SSL 3.0 – 1996 • TLS 1.0 – 1999 • TLS 1.1 – 2006 • TLS 1.2 – 2008 • TLS 1.3 – 2014, 2015, 2016, 2017, 2018?

16. ConFoo Montreal 2018 16 SSL TLS

17. ConFoo Montreal 2018 17 Attacks • Bleichenbacher (1998), ROBOT (2018),

    CCA2 • Renegotiation (2009) • BEAST (2011), TLS 1.0 CBC IV • POODLE (2014), padding oracle • CRIME, TIME, BREACH (2012-13), compression • Heartbleed (2014), OpenSSL • FREAK, Logjam (2015), downgrade • SLOTH, SWEET32 (2016), weak crypto RFC 7457 “Summarizing Known Attacks on TLS and DTLS”

18. ConFoo Montreal 2018 18 Libraries • OpenSSL • LibreSSL (OpenBSD,

    partly incompatible fork) • BoringSSL (Google, API incompatible fork) • NSS (Mozilla Firefox) • SChannel (Microsoft) • Secure Transport (Apple) • more: GnuTLS, Java JSSE, Go crypto/tls, kTLS

19. 10,000 foot high level view

20. ConFoo Montreal 2018 20

21. ConFoo Montreal 2018 21 “TLS” = ”encryption”

22. ConFoo Montreal 2018 22 Wikipedia defnition Transport Layer Security (TLS)

    – and its predecessor, Secure Sockets Layer (SSL) – are cryptographic protocols that provide communications security over a computer network. The TLS protocol aims primarily to provide privacy and data integrity between two communicating computer applications.

23. ConFoo Montreal 2018 23 TLS core features • encrypted transport

    stream • application protocol agnostic • integrity check • replay attack protection • strong authentication of server • strong authentication of client (optional) • extensible protocol

24. ConFoo Montreal 2018 24 TLS standard • IETF standard (Internet

    engineering task force) • IANA (Internet assigned number authority) • TLS (TCP) / DTLS (UDP) • ASN.1 • PKI with X.509 certifcates

25. Crypto 101

26. ConFoo Montreal 2018 26 Cryptographically secure hash functions Hash functions

    for MAC, signatures, and more. • MD5 • SHA (SHA1) • SHA2 • SHA-256 • SHA-384

27. ConFoo Montreal 2018 27 Symmetric-key algorithm (bulk encryption) Same key

    for encryption and decryption. • DES • Triple DES (3DES) • RC4 • AES (AES-128, AES-256) • CHACHA20

28. ConFoo Montreal 2018 28

29. ConFoo Montreal 2018 29

30. ConFoo Montreal 2018 30 Symmetric-key algorithm (2) • Padding •

    Mode of operation • CBC • GCM • Authenticated encryption • CBC with MtE • AEAD (GCM, Poly1305)

31. ConFoo Montreal 2018 31 Asymmetric cryptographic algorithms public / private

    key cryptography • asymmetric encryption • signatures • key agreement

32. ConFoo Montreal 2018 32 PUBLIC KEY KRÜPTO idea-instructions.com/public-key/ v1.0, CC

    by-nc-sa 4.0

33. ConFoo Montreal 2018 33 Asymmetric encryption public key encrypts, private

    key decrypts • ElGamal encryption • RSA encryption (PKCS#1) • RSAES-PKCS1-v1.5 • RSAES-OAEP

34. ConFoo Montreal 2018 34 Asymmetric signatures private key signs hash

    of message message, public key verifes • RSA signature (PKCS#1) • RSASSA-PKCS1-v1.5 • RSAES-PSS • DSS (DSA) • ECDSA (secp256r1, secp384r1, …) • EdDSA (Edward Curve25519, …)

35. ConFoo Montreal 2018 35 Key agreement protocol own private key

    + peer's public = key • fnite feld Diffe-Hellman (DH) • elliptic curve Diffe-Hellman (ECDH) • ephemeral DH / ECDH

36. ConFoo Montreal 2018 36 Misc • random numbers generator (CPRNG)

    • HMAC • Key Derivation Function (KDF) • Key Wrapping (KW) • …

37. ConFoo Montreal 2018 37 Cryptographic building blocks • key agreement

    / exchange • authentication algorithm • bulk encryption (symmetric) • cipher mode • one-way function for message authentication (MAC)

38. ConFoo Montreal 2018 38 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 SSL_RSA_WITH_NULL_MD5

39. TLS handshake

40. ConFoo Montreal 2018 40 TLS handshake with RSA key exchange

    DNS lookup TCP handshake ClientHello Supported cipher suites max version, client random, ... ServerHello select cipher suite version, server random, ... Certifcate Chain ServerHelloDone Finish MAC of handshake message ChangeCipherSpec ClientKeyChange RSA encrypted pre-master secret Finish MAC of handshake message ChangeCipherSpec HTTP GET (verify mac)

41. ConFoo Montreal 2018 41 openssl s_client -connect www.confoo.ca:443 -servername www.confoo.ca

    -cipher AES256-SHA256

42. ConFoo Montreal 2018 42 TLS handshake with RSA key exchange

    ✔ negotiate TLS version ✔ negotiate cipher suite ✔ validate server cert chain ✔ replay protection: MAC client/server random ✗ no forward secrecy

43. ConFoo Montreal 2018 43 TLS handshake with Diffe-Hellman ClientHello Supported

    cipher suites max version, client random, ... ServerHello select cipher suite version, server random, ... Certifcate Chain ServerHelloDone ClientKeyChange Diffe-Hellman server params Finish MAC of handshake message ChangeCipherSpec Finish MAC of handshake message ChangeCipherSpec HTTP GET (verify mac) ServerKeyExchange Diffe-Hellman server params Signature

44. ConFoo Montreal 2018 44 openssl s_client -connect www.confoo.ca:443 -servername www.confoo.ca

    -cipher ECDHE-RSA-AES128-GCM-SHA256

45. ConFoo Montreal 2018 45 Ephemeral Diffe-Hellman ✔ negotiate TLS version

    ✔ negotiate cipher suite ✔ validate server cert chain ✔ replay protection: MAC client/server random ✔ perfect forward secrecy ✗ actually no PFS…

46. Certifcates & Public Key Infrastructure

47. ConFoo Montreal 2018 47 X.509 certifcates • ASN.1 • CER/DER:

    binary ASN.1 • PEM: base64 encoded ASN.1 + header/footer • P12, PFX: PKCS#12 safe bags • cert / private key pair • content • public key • metadata • extensions • issuer signature

48. ConFoo Montreal 2018 48 Fields • Version (3) • Serial

    number • Subject • Issuer • Validity • notBefore • notAfter • Subject Public Key Information • algorithm • public key • X509v3 extensions

49. ConFoo Montreal 2018 49 X509v3 extensions • Basic Constraints •

    Key Usage • Extended Key Usage • Subject Alternative Name • Subject Key ID & Authority Key ID • CRL distribution point • Authority Information Access (OCSP, parent CA) • Certifcate Policy & Naming Policy • SCT (Certifcate Transparency) • ...

50. ConFoo Montreal 2018 50 Certifcate types • trust anchors (root

    CA certs) • intermediate CA certs • end-entity certs • server • client • code signing • email • CRL/OCSP signing • ... root CA self-signs intermediate CA 1 intermediate CA 2 signs end-entity cert signs signs

51. ConFoo Montreal 2018 51 Certifcate types (2) • root CA

    • Basic Constraints: CA True, no pathlen restriction • Key Usage: cert signer, CRL signer • intermediate CA certs • Basic Constraints: CA True, pathlen: …, 3, 2, 1 • Key Usage: cert signer, CRL signer • end-entity certs • Basic Constraints: CA False • Key Usage: Digital Signature, Key Encipherment • Extended Key Usage: TLS server • Subject Alternative Name: dNSName:www.confoo.ca

52. ConFoo Montreal 2018 52 Extended validation cert?

53. ConFoo Montreal 2018 53 Hostname matching Certificate: Data: Version: 3

    (0x2) Serial Number: 3e:34:3f:eb:af:8f:9d:06:cd:da:51:bf:21:47:98:3c Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3 Validity Not Before: Feb 15 00:00:00 2016 GMT Not After : Feb 14 23:59:59 2019 GMT Subject: C = CA, ST = Quebec, L = Boisbriand, O = Conf\C3\A9rence Php Qu\C3\A9bec, OU = CONFOO, CN = *.confoo.ca ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.confoo.ca, DNS:confoo.ca Certificate: Data: Version: 3 (0x2) Serial Number: 3e:34:3f:eb:af:8f:9d:06:cd:da:51:bf:21:47:98:3c Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3 Validity Not Before: Feb 15 00:00:00 2016 GMT Not After : Feb 14 23:59:59 2019 GMT Subject: C = CA, ST = Quebec, L = Boisbriand, O = Conf\C3\A9rence Php Qu\C3\A9bec, OU = CONFOO, CN = *.confoo.ca ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.confoo.ca, DNS:confoo.ca

54. ConFoo Montreal 2018 54 Private keys

55. TLS extensions & alerts

56. ConFoo Montreal 2018 56 TLS alert • close_notify • handshake

    failure • no ciphers available • unknown_ca • decryption_failed • …

57. ConFoo Montreal 2018 57 TLS extensions • heart beat •

    server name indication (virtual hosting) • ALPN (HTTP/2) • session resumption • signature algorithms • supported groups (ECDH curves)

58. ConFoo Montreal 2018 58 TLS handshake with session resumption ClientHello

    Supported cipher suites max version, client random, … Session Ticket ServerHello select cipher suite version, server random, ... Finish MAC of handshake message ChangeCipherSpec Finish MAC of handshake message ChangeCipherSpec HTTP GET Finish MAC of handshake message ChangeCipherSpec NewSessionTicket

59. ConFoo Montreal 2018 59 Session resumption • session ticket contains

    encrypted key • ticket encrypted with server's Session Ticket Key • STK is a shared key • browsers usually request session resumption • server sends ticket in frst request • bad design • ticket is not TLS encrypted • current master key!

60. TLS 1.3

61. ConFoo Montreal 2018 61 TLS 1.3 is a major change

62. ConFoo Montreal 2018 62

63. ConFoo Montreal 2018 63 Kill all the bad crypto! •

    RC4, 3DES, AES-CBC • MD5, SHA1 • NULL ciphers • arbitrary DH groups and curves • static RSA authentication • renegotiation • compression • PKCS#1 v1.5 • MAC then Encrypt

64. ConFoo Montreal 2018 64 New modern crypto • Elliptic Curve

    Crypto • Edwards Curve (Ed25519) • Curve25519, X25519 • authenticated encryption (AEAD) • AES-GCM • CHACHA20-Poly1305 • mandatory Diffe-Hellman PFS → • no “out-of-band TLS decryption” • RSAES-PSS signatures

65. ConFoo Montreal 2018 65 Protocol improvements • Cipher negotiation protected

    by Finish MAC (LogJam) • Separation of key agreement, ciphers, authentication • Cipher suites • TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256 • TLS extensions • signature_algorithms, cert_signature_algorithms, elliptic_curves • Session resumption with PSK-ECDHE • after Finish, TLS encrypted, next master key • Encrypted Post-Handshake auth (client cert)

66. ConFoo Montreal 2018 66 TLS 1.3 with 1-RTT handshake ClientHello

    Supported ciphers, groups, signatures supported versions SNI Key Share ServerHello select cipher, group, signature Key Share Certifcate Chain Finish MAC & Signature ChangeCipherSpec Finish MAC HTTP GET ChangeCipherSpec

67. ConFoo Montreal 2018 67 1.1.1-pre1/bin/openssl s_client -connect tls13.crypto.mozilla.org:443 -servername tls13.crypto.mozilla.org

    -tls1_3

68. ConFoo Montreal 2018 68 Hacks • Middlebox compatibility mode •

    Version: TLSv1.2 • TLS ext: supported_version 0x304 • Downgrade protection in server random • = TLSv1.2 DOWNGRD\x00 • < TLSv.1.2 DOWNGRD\x01 • HelloRetryRequest random SHA256(“HelloRetryRequest”)

69. ConFoo Montreal 2018 69 TLS 1.3 with 2-RTT retry handshake

    ClientHello Supported ciphers, groups, signatures supported versions Key Share ServerHello select cipher, group, signature Key Share Certifcate Chain Finish MAC HTTP GET Finish MAC & Signature ChangeCipherSpec ChangeCipherSpec HelloRetryRequest select cipher, group, signature Cookie ClientHello Cookie New Key Share

70. ConFoo Montreal 2018 70 TLS 1.3 with 0-RTT early data

    ClientHello PSK + PSK mode Key Share ServerHello PSK Key Share Finish MAC & Signature NewSessionTicket PSK Early data HTTP GET Early data HTTP Response Finish MAC TLS Alert close_notify

71. ConFoo Montreal 2018 71 0-RTT caveats • Replay attack •

    No forward secrecy Applications must defne a profle for early data

72. Summary

73. ConFoo Montreal 2018 73 Use HTTPS everywhere!

74. Resources

75. ConFoo Montreal 2018 75 Books

76. ConFoo Montreal 2018 76 Resources • https://www.ssllabs.com/ssltest/ • https://istlsfastyet.com/ •

    Deploying TLS 1.3: the great, the good and the bad (33c3) https://www.youtube.com/watch?v=0opakLwtPWk

77. THANK YOU plus.google.com/+RedHat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews linkedin.com/company/red-hat