Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ConFoo 2018: Gentle introduction to SSL/TLS, certificates, and TLS 1.3

ConFoo 2018: Gentle introduction to SSL/TLS, certificates, and TLS 1.3

TLS is the most important and widely-used protocol for secure and encrypted communication, e.g. HTTPS. It offers more than just encryption. TLS also ensures data integrity and strong authentication with X.509 certificates. Did you ever wonder how TLS and CAs actually work? I'll give you the rundown of the basic cryptographic building blocks, protocol handshake, inner structure of certificates, PKI, and what's new in TLS 1.3.

https://confoo.ca/en/yul2018/session/gentle-introduction-to-ssl-tls-certificates-and-tls-1-3

Christian Heimes

March 07, 2018
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. Gentle introduction to
    SSL/TLS, certifcates, and TLS 1.3
    ConFoo 2018 / Montreal
    Christian Heimes
    Senior Software Engineer
    [email protected] / [email protected]
    @ChristianHeimes

    View full-size slide

  2. ConFoo Montreal 2018
    2
    Who am I?

    from Hamburg/Germany

    Linux user since 1997

    Python and C developer

    Python core developer since 2008

    maintainer of ssl and hashlib module

    Python security team

    Contributor to OpenSSL

    View full-size slide

  3. ConFoo Montreal 2018
    3
    Professional life

    Senior Software Engineer at Red Hat

    Security Engineering

    FreeIPA Identity Management

    Dogtag PKI

    Custudia secrets management

    View full-size slide

  4. Agenda & Takeaways

    View full-size slide

  5. ConFoo Montreal 2018
    5
    Agenda

    history

    high level view

    cryptography 101

    TLS handshake

    certs & PKI

    TLS 1.3

    books & resources

    View full-size slide

  6. Should I deploy TLS?

    View full-size slide

  7. ConFoo Montreal 2018
    7
    Yes!

    View full-size slide

  8. ConFoo Montreal 2018
    8
    Yes, you should!

    View full-size slide

  9. ConFoo Montreal 2018
    9
    TLS has exactly one performance problem:
    it is not used widely enough.
    Everything else can be optimized.
    https://istlsfastyet.com/

    View full-size slide

  10. ConFoo Montreal 2018
    10
    Troy Hunt, I wanna go fast: HTTPS' massive speed advantage
    https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/

    View full-size slide

  11. ConFoo Montreal 2018
    11
    Troy Hunt, I wanna go fast: HTTPS' massive speed advantage
    https://www.troyhunt.com/i-wanna-go-fast-https-massive-speed-advantage/

    View full-size slide

  12. ConFoo Montreal 2018
    12
    Reasons to deploy TLS

    Privacy

    Security (Ad / Malware injection

    Performance (HTTP/2)

    SEO

    User Experience (password warning)

    View full-size slide

  13. ConFoo Montreal 2018
    14
    3 < 1

    View full-size slide

  14. ConFoo Montreal 2018
    15
    Secure Sockets Layer / Transport Layer Security

    SSL 1.0 – never released

    SSL 2.0 – 1995

    SSL 3.0 – 1996

    TLS 1.0 – 1999

    TLS 1.1 – 2006

    TLS 1.2 – 2008

    TLS 1.3 – 2014, 2015, 2016, 2017, 2018?

    View full-size slide

  15. ConFoo Montreal 2018
    16
    SSL
    TLS

    View full-size slide

  16. ConFoo Montreal 2018
    17
    Attacks

    Bleichenbacher (1998), ROBOT (2018), CCA2

    Renegotiation (2009)

    BEAST (2011), TLS 1.0 CBC IV

    POODLE (2014), padding oracle

    CRIME, TIME, BREACH (2012-13), compression

    Heartbleed (2014), OpenSSL

    FREAK, Logjam (2015), downgrade

    SLOTH, SWEET32 (2016), weak crypto
    RFC 7457 “Summarizing Known Attacks on TLS and DTLS”

    View full-size slide

  17. ConFoo Montreal 2018
    18
    Libraries

    OpenSSL

    LibreSSL (OpenBSD, partly incompatible fork)

    BoringSSL (Google, API incompatible fork)

    NSS (Mozilla Firefox)

    SChannel (Microsoft)

    Secure Transport (Apple)

    more: GnuTLS, Java JSSE, Go crypto/tls, kTLS

    View full-size slide

  18. 10,000 foot
    high level view

    View full-size slide

  19. ConFoo Montreal 2018
    20

    View full-size slide

  20. ConFoo Montreal 2018
    21
    “TLS”
    =
    ”encryption”

    View full-size slide

  21. ConFoo Montreal 2018
    22
    Wikipedia defnition
    Transport Layer Security (TLS) – and its predecessor, Secure Sockets
    Layer (SSL) – are cryptographic protocols that provide
    communications security over a computer network. The TLS protocol
    aims primarily to provide privacy and data integrity between two
    communicating computer applications.

    View full-size slide

  22. ConFoo Montreal 2018
    23
    TLS core features

    encrypted transport stream

    application protocol agnostic

    integrity check

    replay attack protection

    strong authentication of server

    strong authentication of client (optional)

    extensible protocol

    View full-size slide

  23. ConFoo Montreal 2018
    24
    TLS standard

    IETF standard (Internet engineering task force)

    IANA (Internet assigned number authority)

    TLS (TCP) / DTLS (UDP)

    ASN.1

    PKI with X.509 certifcates

    View full-size slide

  24. ConFoo Montreal 2018
    26
    Cryptographically secure hash functions
    Hash functions for MAC, signatures, and more.

    MD5

    SHA (SHA1)

    SHA2

    SHA-256

    SHA-384

    View full-size slide

  25. ConFoo Montreal 2018
    27
    Symmetric-key algorithm (bulk encryption)
    Same key for encryption and decryption.

    DES

    Triple DES (3DES)

    RC4

    AES (AES-128, AES-256)

    CHACHA20

    View full-size slide

  26. ConFoo Montreal 2018
    28

    View full-size slide

  27. ConFoo Montreal 2018
    29

    View full-size slide

  28. ConFoo Montreal 2018
    30
    Symmetric-key algorithm (2)

    Padding

    Mode of operation

    CBC

    GCM

    Authenticated encryption

    CBC with MtE

    AEAD (GCM, Poly1305)

    View full-size slide

  29. ConFoo Montreal 2018
    31
    Asymmetric cryptographic algorithms
    public / private key cryptography

    asymmetric encryption

    signatures

    key agreement

    View full-size slide

  30. ConFoo Montreal 2018
    32
    PUBLIC KEY KRÜPTO idea-instructions.com/public-key/
    v1.0, CC by-nc-sa 4.0

    View full-size slide

  31. ConFoo Montreal 2018
    33
    Asymmetric encryption
    public key encrypts, private key decrypts

    ElGamal encryption

    RSA encryption (PKCS#1)

    RSAES-PKCS1-v1.5

    RSAES-OAEP

    View full-size slide

  32. ConFoo Montreal 2018
    34
    Asymmetric signatures
    private key signs hash of message message, public key verifes

    RSA signature (PKCS#1)

    RSASSA-PKCS1-v1.5

    RSAES-PSS

    DSS (DSA)

    ECDSA (secp256r1, secp384r1, …)

    EdDSA (Edward Curve25519, …)

    View full-size slide

  33. ConFoo Montreal 2018
    35
    Key agreement protocol
    own private key + peer's public = key

    fnite feld Diffe-Hellman (DH)

    elliptic curve Diffe-Hellman (ECDH)

    ephemeral DH / ECDH

    View full-size slide

  34. ConFoo Montreal 2018
    36
    Misc

    random numbers generator (CPRNG)

    HMAC

    Key Derivation Function (KDF)

    Key Wrapping (KW)


    View full-size slide

  35. ConFoo Montreal 2018
    37
    Cryptographic building blocks

    key agreement / exchange

    authentication algorithm

    bulk encryption (symmetric)

    cipher mode

    one-way function for message authentication (MAC)

    View full-size slide

  36. ConFoo Montreal 2018
    38
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
    SSL_RSA_WITH_NULL_MD5

    View full-size slide

  37. TLS handshake

    View full-size slide

  38. ConFoo Montreal 2018
    40
    TLS handshake with RSA key exchange
    DNS lookup
    TCP handshake
    ClientHello
    Supported cipher suites
    max version, client random, ... ServerHello
    select cipher suite
    version, server random, ...
    Certifcate Chain
    ServerHelloDone
    Finish
    MAC of handshake message
    ChangeCipherSpec
    ClientKeyChange
    RSA encrypted pre-master secret
    Finish
    MAC of handshake message
    ChangeCipherSpec
    HTTP GET
    (verify mac)

    View full-size slide

  39. ConFoo Montreal 2018
    41
    openssl s_client
    -connect www.confoo.ca:443
    -servername www.confoo.ca
    -cipher AES256-SHA256

    View full-size slide

  40. ConFoo Montreal 2018
    42
    TLS handshake with RSA key exchange

    negotiate TLS version

    negotiate cipher suite

    validate server cert chain

    replay protection: MAC client/server random

    no forward secrecy

    View full-size slide

  41. ConFoo Montreal 2018
    43
    TLS handshake with Diffe-Hellman
    ClientHello
    Supported cipher suites
    max version, client random, ... ServerHello
    select cipher suite
    version, server random, ...
    Certifcate Chain
    ServerHelloDone
    ClientKeyChange
    Diffe-Hellman server params
    Finish
    MAC of handshake message
    ChangeCipherSpec
    Finish
    MAC of handshake message
    ChangeCipherSpec
    HTTP GET
    (verify mac)
    ServerKeyExchange
    Diffe-Hellman server params
    Signature

    View full-size slide

  42. ConFoo Montreal 2018
    44
    openssl s_client
    -connect www.confoo.ca:443
    -servername www.confoo.ca
    -cipher ECDHE-RSA-AES128-GCM-SHA256

    View full-size slide

  43. ConFoo Montreal 2018
    45
    Ephemeral Diffe-Hellman

    negotiate TLS version

    negotiate cipher suite

    validate server cert chain

    replay protection: MAC client/server random

    perfect forward secrecy

    actually no PFS…

    View full-size slide

  44. Certifcates
    &
    Public Key Infrastructure

    View full-size slide

  45. ConFoo Montreal 2018
    47
    X.509 certifcates

    ASN.1

    CER/DER: binary ASN.1

    PEM: base64 encoded ASN.1 + header/footer

    P12, PFX: PKCS#12 safe bags

    cert / private key pair

    content

    public key

    metadata

    extensions

    issuer signature

    View full-size slide

  46. ConFoo Montreal 2018
    48
    Fields

    Version (3)

    Serial number

    Subject

    Issuer

    Validity

    notBefore

    notAfter

    Subject Public Key Information

    algorithm

    public key

    X509v3 extensions

    View full-size slide

  47. ConFoo Montreal 2018
    49
    X509v3 extensions

    Basic Constraints

    Key Usage

    Extended Key Usage

    Subject Alternative Name

    Subject Key ID & Authority Key ID

    CRL distribution point

    Authority Information Access (OCSP, parent CA)

    Certifcate Policy & Naming Policy

    SCT (Certifcate Transparency)

    ...

    View full-size slide

  48. ConFoo Montreal 2018
    50
    Certifcate types

    trust anchors (root CA certs)

    intermediate CA certs

    end-entity certs

    server

    client

    code signing

    email

    CRL/OCSP signing

    ...
    root CA
    self-signs
    intermediate CA 1
    intermediate CA 2
    signs
    end-entity cert
    signs
    signs

    View full-size slide

  49. ConFoo Montreal 2018
    51
    Certifcate types (2)

    root CA

    Basic Constraints: CA True, no pathlen restriction

    Key Usage: cert signer, CRL signer

    intermediate CA certs

    Basic Constraints: CA True, pathlen: …, 3, 2, 1

    Key Usage: cert signer, CRL signer

    end-entity certs

    Basic Constraints: CA False

    Key Usage: Digital Signature, Key Encipherment

    Extended Key Usage: TLS server

    Subject Alternative Name: dNSName:www.confoo.ca

    View full-size slide

  50. ConFoo Montreal 2018
    52
    Extended validation cert?

    View full-size slide

  51. ConFoo Montreal 2018
    53
    Hostname matching
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    3e:34:3f:eb:af:8f:9d:06:cd:da:51:bf:21:47:98:3c
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
    Validity
    Not Before: Feb 15 00:00:00 2016 GMT
    Not After : Feb 14 23:59:59 2019 GMT
    Subject: C = CA, ST = Quebec, L = Boisbriand, O =
    Conf\C3\A9rence Php Qu\C3\A9bec, OU = CONFOO, CN = *.confoo.ca
    ...
    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:*.confoo.ca, DNS:confoo.ca
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    3e:34:3f:eb:af:8f:9d:06:cd:da:51:bf:21:47:98:3c
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
    Validity
    Not Before: Feb 15 00:00:00 2016 GMT
    Not After : Feb 14 23:59:59 2019 GMT
    Subject: C = CA, ST = Quebec, L = Boisbriand, O =
    Conf\C3\A9rence Php Qu\C3\A9bec, OU = CONFOO, CN = *.confoo.ca
    ...
    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:*.confoo.ca, DNS:confoo.ca

    View full-size slide

  52. ConFoo Montreal 2018
    54
    Private keys

    View full-size slide

  53. TLS
    extensions & alerts

    View full-size slide

  54. ConFoo Montreal 2018
    56
    TLS alert

    close_notify

    handshake failure

    no ciphers available

    unknown_ca

    decryption_failed


    View full-size slide

  55. ConFoo Montreal 2018
    57
    TLS extensions

    heart beat

    server name indication (virtual hosting)

    ALPN (HTTP/2)

    session resumption

    signature algorithms

    supported groups (ECDH curves)

    View full-size slide

  56. ConFoo Montreal 2018
    58
    TLS handshake with session resumption
    ClientHello
    Supported cipher suites
    max version, client random, …
    Session Ticket
    ServerHello
    select cipher suite
    version, server random, ...
    Finish
    MAC of handshake message
    ChangeCipherSpec
    Finish
    MAC of handshake message
    ChangeCipherSpec
    HTTP GET
    Finish
    MAC of handshake message
    ChangeCipherSpec
    NewSessionTicket

    View full-size slide

  57. ConFoo Montreal 2018
    59
    Session resumption

    session ticket contains encrypted key

    ticket encrypted with server's Session Ticket Key

    STK is a shared key

    browsers usually request session resumption

    server sends ticket in frst request

    bad design

    ticket is not TLS encrypted

    current master key!

    View full-size slide

  58. ConFoo Montreal 2018
    61
    TLS 1.3 is a major change

    View full-size slide

  59. ConFoo Montreal 2018
    62

    View full-size slide

  60. ConFoo Montreal 2018
    63
    Kill all the bad crypto!

    RC4, 3DES, AES-CBC

    MD5, SHA1

    NULL ciphers

    arbitrary DH groups and curves

    static RSA authentication

    renegotiation

    compression

    PKCS#1 v1.5

    MAC then Encrypt

    View full-size slide

  61. ConFoo Montreal 2018
    64
    New modern crypto

    Elliptic Curve Crypto

    Edwards Curve (Ed25519)

    Curve25519, X25519

    authenticated encryption (AEAD)

    AES-GCM

    CHACHA20-Poly1305

    mandatory Diffe-Hellman PFS


    no “out-of-band TLS decryption”

    RSAES-PSS signatures

    View full-size slide

  62. ConFoo Montreal 2018
    65
    Protocol improvements

    Cipher negotiation protected by Finish MAC (LogJam)

    Separation of key agreement, ciphers, authentication

    Cipher suites

    TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256

    TLS extensions

    signature_algorithms, cert_signature_algorithms, elliptic_curves

    Session resumption with PSK-ECDHE

    after Finish, TLS encrypted, next master key

    Encrypted Post-Handshake auth (client cert)

    View full-size slide

  63. ConFoo Montreal 2018
    66
    TLS 1.3 with 1-RTT handshake
    ClientHello
    Supported ciphers, groups, signatures
    supported versions
    SNI
    Key Share
    ServerHello
    select cipher, group, signature
    Key Share
    Certifcate Chain
    Finish
    MAC & Signature
    ChangeCipherSpec
    Finish
    MAC
    HTTP GET
    ChangeCipherSpec

    View full-size slide

  64. ConFoo Montreal 2018
    67
    1.1.1-pre1/bin/openssl s_client
    -connect tls13.crypto.mozilla.org:443
    -servername tls13.crypto.mozilla.org
    -tls1_3

    View full-size slide

  65. ConFoo Montreal 2018
    68
    Hacks

    Middlebox compatibility mode

    Version: TLSv1.2

    TLS ext: supported_version 0x304

    Downgrade protection in server random

    = TLSv1.2 DOWNGRD\x00

    < TLSv.1.2 DOWNGRD\x01

    HelloRetryRequest random
    SHA256(“HelloRetryRequest”)

    View full-size slide

  66. ConFoo Montreal 2018
    69
    TLS 1.3 with 2-RTT retry handshake
    ClientHello
    Supported ciphers, groups, signatures
    supported versions
    Key Share
    ServerHello
    select cipher, group, signature
    Key Share
    Certifcate Chain
    Finish
    MAC
    HTTP GET
    Finish
    MAC & Signature
    ChangeCipherSpec
    ChangeCipherSpec
    HelloRetryRequest
    select cipher, group, signature
    Cookie
    ClientHello
    Cookie
    New Key Share

    View full-size slide

  67. ConFoo Montreal 2018
    70
    TLS 1.3 with 0-RTT early data
    ClientHello
    PSK + PSK mode
    Key Share
    ServerHello
    PSK
    Key Share
    Finish
    MAC & Signature
    NewSessionTicket
    PSK
    Early data
    HTTP GET
    Early data
    HTTP Response
    Finish
    MAC
    TLS Alert
    close_notify

    View full-size slide

  68. ConFoo Montreal 2018
    71
    0-RTT caveats

    Replay attack

    No forward secrecy
    Applications must defne a profle for early data

    View full-size slide

  69. ConFoo Montreal 2018
    73
    Use HTTPS
    everywhere!

    View full-size slide

  70. ConFoo Montreal 2018
    75
    Books

    View full-size slide

  71. ConFoo Montreal 2018
    76
    Resources

    https://www.ssllabs.com/ssltest/

    https://istlsfastyet.com/

    Deploying TLS 1.3: the great, the good and the bad (33c3)
    https://www.youtube.com/watch?v=0opakLwtPWk

    View full-size slide

  72. THANK YOU
    plus.google.com/+RedHat
    youtube.com/user/RedHatVideos
    facebook.com/redhatinc
    twitter.com/RedHatNews
    linkedin.com/company/red-hat

    View full-size slide