Secure Industrial Device Connectivity with Low-Overhead TLS

Transcript

1. Secure Industrial Device Connectivity with Low-Overhead TLS Tuesday, October 3,

   2017 1:10PM-2:10PM

2. Chris Conlon - Engineering Manager, wolfSSL - B.S. from Montana

   State University (Bozeman, MT) - Software engineer at wolfSSL (7 years) Contact Info: - Email: [email protected] - Twitter: @c_conlon

3. A. – B. – C. – D. – E. F.

4. None
5. None

6. • • • ◦ • ◦

7. • ◦

8. • Original Image Encrypted using ECB mode Modes other than

   ECB

9. • ◦

10. • ◦

11. • • • • ◦

12. • • • • ◦

13. • ◦ ◦ ◦ ◦ • ◦

14. • • • • ◦

15. • • ◦ By Original schema: A.J. Han Vinck, University

    of Duisburg-EssenSVG version: Flugaal - A.J. Han Vinck, Introduction to public key cryptography, p. 16, Public Domain, https://commons.wikimedia.org/w/index.php?curid=17063048

16. • ◦ • ◦ ▪ ▪ ▪

17. • ◦ ▪

18. • • •

19. • • ◦ • •

20. • • •

21. • • ◦ ◦ ◦ ◦

22. • “Progressive” is a subjective term • These slides talk

    about crypto algorithms that are: ◦ New, modern ◦ Becoming widely accepted ◦ Have been integrated into SSL/TLS with cipher suites

23. • ChaCha20 • Poly1305 • Curve25519 • Ed25519 Created by

    Daniel Bernstein a research professor at the University of Illinois, Chicago Chacha20-Poly1305 AEAD used in Google over HTTPS Ed25519 and ChaCha20-Poly1305 AEAD used in Apple’s HomeKit (iOS Security)

24. • Fast stream cipher • Based from Salsa20 stream cipher

    using a different quarter-round process giving it more diffusion • Can be used for AEAD encryption with Poly1305 • Was published by Bernstein in 2008 Used by • Google Chrome • TinySSH • Apple HomeKit • wolfSSL

25. • To provide authenticity of messages (MAC) • Extremely fast

    in comparison to others • Introduced by a presentation given from Bernstein in 2002 • Naming scheme from using polynomial-evaluation MAC (Message Authentication Code) over a prime field Z/(2^130 - 5)
26. None

27. Used by • Tor • Google Chrome • Apple iOS

    • wolfSSL Generic Montgomery curve. Reference 5
28. None

29. Used by • Tera Term • GnuPG • wolfSSL Generic

    Twisted Edwards Curve. Reference 6
30. None
31. None

32. 1. Privacy + Prevent eavesdropping 2. Authentication + Prevent impersonation

    3. Integrity + Prevent modification

33. • Current SSL / TLS / DTLS versions • •

    • • • • • RFC 6101 RFC 2246 RFC 4346 RFC 5246
34. None

35. • Most TLS implementations run on top of a BSD

    socket API • Since TLS sits ON TOP of the transport layer, you can theoretically run it on top of ANY transport medium: ◦ Serial connection (RS-232) ◦ Proprietary transport layer ◦ Memory buffers ◦ etc.

36. • Uses variety of crypto algorithms • A common CIPHER

    SUITE is negotiated during TLS Handshake Protocol_keyexchange_WITH_bulkencryption_mode_messageauth TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Hash Functions SHA, SHA-256, ... Block and Stream Ciphers 3DES, AES, Camellia, ... Public Key Algorithms RSA, ECC, NTRU, ...

37. • Four sub-protocols: 1. Handshake Protocol 2. Change Cipher Spec

    Protocol 3. Alert Protocol 4. Record Protocol • Responsible for negotiating a session, includes: ◦ Session identifier ◦ Authentication (one-way or mutual) ◦ Using compression ◦ Agreeing on set of algorithms ◦ Calculation of master secret

38. • Four sub-protocols: 1. Handshake Protocol 2. Change Cipher Spec

    Protocol 3. Alert Protocol 4. Record Protocol • Signals transitions in ciphering strategies • Sent by client and server • Notifies receiving party that subsequent records will be protected under newly negotiated CipherSpec and keys

39. • Four sub-protocols: 1. Handshake Protocol 2. Change Cipher Spec

    Protocol 3. Alert Protocol 4. Record Protocol • Convey severity and description of alert • Either “warning” or “fatal” • Fatal results in immediate termination of connection • Encrypted and compressed as per CipherSpec

40. • Four sub-protocols: 1. Handshake Protocol 2. Change Cipher Spec

    Protocol 3. Alert Protocol 4. Record Protocol

41. • TLS Record Header Format

42. None

43. • Handshake Protocol Format

44. • Client Hello ◦ ◦ ▪ ▪ ▪ ▪ ▪

    ▪ Client Hello Server Hello Certificate Server Key Exchange Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request

45. • Client Hello Client Hello Server Hello Certificate Server Key

    Exchange Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request

46. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Hello Verify Request ◦ ◦ ◦

47. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Hello ◦ ◦ ◦ ▪ ▪ ▪ ▪ ▪ ▪

48. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Hello

49. • Hello Extensions ◦ ▪ ◦ ▪ ◦

50. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Certificate ◦ ◦ ◦ ◦ ◦

51. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Certificate

52. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Key Exchange ◦ ◦ ▪ ▪ ◦

53. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Key Exchange

54. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • (Certificate Request) ◦ ◦ ◦

55. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • (Certificate Request)

56. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Hello Done ◦ ◦

57. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Hello Done

58. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • (Client Certificate) ◦ ◦ ◦ ◦ ◦

59. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • (Client Certificate)

60. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Client Key Exchange ◦ ◦ ◦

61. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Client Key Exchange

62. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Certificate Verify ◦ ◦ ◦ ◦

63. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Certificate Verify

64. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Change Cipher Spec ◦ ◦ ◦

65. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Change Cipher Spec

66. Client Hello Server Hello Certificate Server Key Exchange Certificate Request

    Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Finished ◦ ◦ ◦

67. • X.509 is a standard for PKI (public key infrastructure)

    • Some things specified by it include: ◦ Public key certificates ◦ Certificate revocation lists ◦ Certificate path validation algorithm (CA / cert chain structure) • Structure is expressed in ASN.1 syntax

68. • Filename Extensions: ◦ .pem ▪ “Privacy-enhanced Electronic Mail” ▪

    Base64-encoded DER certificate ◦ .der, .cer, .crt ▪ Binary DER form • Others include ◦ .p7b, .p7c (PKCS#7) – standard for signing/encrypting data ◦ .p12 (PKCS#12) – bundle certs and private keys ◦ .pfx (predecessor to .p12)

69. • Structure of X.509v3 certificate is as follows: • Certificate

    ◦ Version ◦ Serial Number ◦ Algorithm ID ◦ Issuer ◦ Validity ▪ Not Before ▪ Not After ◦ Subject ◦ Subject Public Key Info ▪ Public Key Algorithm ▪ Subject Public Key ◦ Issuer Unique Identifier (optional) ◦ Subject Unique Identifier (optional) ◦ Extensions (optional) ◦ … • Certificate Signature Algorithm • Certificate Signature

70. • A list of certificates followed by one or more

    CA certificates, where: ◦ The Issuer of each certificate matches the Subject of the next ◦ Each cert is signed by the private key of the following cert ◦ The last cert in the chain (although not sent in the SSL/TLS handshake) is the “root CA”
71. None

72. August 2013 - Work on TLS 1.3 begins April 17,

    2014 - Draft 00, 01 July 7, 2014 - Draft 02 October 27, 2014 - Draft 03 January 3, 2015 - Draft 04 March 9, 2015 - Draft 05 June 29, 2015 - Draft 06 July 8, 2015 - Draft 07 August 28, 2015 - Draft 08 October 5, 2015 - Draft 09 October 19, 2015 - Draft 10 December 28, 2015 - Draft 11 February 2016 - TLS Working Group Workshop to analyze TLS 1.3 designs March 21, 2016 - Draft 12 May 22, 2016 - Draft 13 July 11, 2016 - Draft 14 August 17, 2016 - Draft 15 September 22, 2016 - Draft 16 October 20, 2016 - Draft 17 October 26, 2016 - Draft 18 March 10, 2017 - Draft 19 April 28, 2017 - Draft 20 July 3, 2017 - Draft 21 • In development for over 4 years now • 21 drafts so far

73. August 2013 - Work on TLS 1.3 begins April 17,

    2014 - Draft 00, 01 July 7, 2014 - Draft 02 October 27, 2014 - Draft 03 January 3, 2015 - Draft 04 March 9, 2015 - Draft 05 June 29, 2015 - Draft 06 July 8, 2015 - Draft 07 August 28, 2015 - Draft 08 October 5, 2015 - Draft 09 October 19, 2015 - Draft 10 December 28, 2015 - Draft 11 February 2016 - TLS Working Group Workshop to analyze TLS 1.3 designs March 21, 2016 - Draft 12 May 22, 2016 - Draft 13 July 11, 2016 - Draft 14 August 17, 2016 - Draft 15 September 22, 2016 - Draft 16 October 20, 2016 - Draft 17 October 26, 2016 - Draft 18 March 10, 2017 - Draft 19 April 28, 2017 - Draft 20 July 3, 2017 - Draft 21 wolfSSL has implemented Drafts 18 and 20!

74. Algorithm Changes • Symmetric algorithm list has been pruned of

    all “legacy” algorithms • Remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) • Ciphersuite concept has changed to separate authentication and key exchange mechanisms from the record protection algorithm and a hash to be used with key derivation function and HMAC

75. Zero-RTT Mode • Performance enhancement • Saves a round-trip at

    connection setup for some application data • At the cost of some security properties

76. More Encrypted Handshake Messages • All handshake messages after the

    ServerHello are now encrypted • New EncryptedExtension allows extensions previously sent in the clear in ServerHello to also be encrypted

77. Redesigned Key Derivation Functions • Allows for easier analysis by

    cryptographers due to improved key separation properties • HMAC-based Extract-and-Expand Key Derivation Function (HKDF) used

78. ECC is Included • Now included in the base spec

    • Includes new signature algorithms (ex: ed25519, ed448) • Point format negotiation removed in favor of single point format per curve

79. Other Crypto Improvements • Removed ◦ Compression ◦ Custom DHE

    groups ◦ DSA • RSA padding changed to use PSS

80. Version Negotiation Removed • TLS 1.2 included version negotiation mechanism

    • TLS 1.3 removes this in favor of a version list in an extension • Increases compatibility with servers which incorrectly implemented version negotiation

81. Session Resumption • Session resumption with and without server-side state

    removed • PSK-based ciphersuites of earlier TLS versions removed • Replaced by a single new PSK exchange

82. Supports 3 basic key exchange modes: a. (EC)DHE (both finite

    field and elliptic curve varieties) b. PSK-only c. PSK with (EC)DHE

83. Using wolfSSL as a demonstration

84. • Make sure your application is compiled with the SAME

    preprocessor defines as the TLS library. • When using Autoconf, simply include <wolfssl/options.h> #include <wolfssl/options.h> int main() { return 0; }

85. • The main wolfSSL header for SSL/TLS is <wolfssl/ssl.h> #include

    <wolfssl/options.h> #include <wolfssl/ssl.h> int main() { return 0; }

86. • wolfSSL has two main structures: ◦ WOLFSSL - SSL/TLS

    session ◦ WOLFSSL_CTX - SSL/TLS context #include <wolfssl/options.h> #include <wolfssl/ssl.h> int main() { WOLFSSL_CTX* ctx; WOLFSSL* ssl; return 0; }

87. • Initialize wolfSSL library • Optionally, enable debug output (also

    define DEBUG_WOLFSSL) /* initialize wolfSSL library */ wolfSSL_Init(); /* enable wolfSSL debug output */ wolfSSL_Debugging_ON();

88. • Create wolfSSL context (ex: using TLS 1.2) • Enable

    (or set) peer verification WOLFSSL_CTX* ctx; ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); /* turn on peer verification, register verify callback */ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify);

89. • Load trusted root CA certificate, from DER-formatted buffer •

    Or from PEM or DER formatted file int ret; ret = wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_der_2048, sizeof(ca_cert_der_2048), SSL_FILETYPE_ASN1); int ret; ret = wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0);

90. • After socket has been created and connect()’ed, create wolfSSL

    session: • Pass established socket file descriptor to wolfSSL WOLFSSL* ssl; if ((ssl = wolfSSL_new(ctx)) == NULL) /* error out */ wolfSSL_set_fd(ssl, sockfd);

91. • Initiate SSL/TLS connection, do handshake with peer • Write

    data using: /* client side */ ret = wolfSSL_connect(ssl); if (ret != SSL_SUCCESS) /* error out */ /* server side */ ret = wolfSSL_accept(ssl); if (ret != SSL_SUCCESS) /* error out */ ret = wolfSSL_write(ssl, msg, msgSz);

92. • And read data using: • Shutdown SSL/TLS session: ret

    = wolfSSL_read(ssl, reply, sizeof(reply)); wolfSSL_shutdown(ssl);

93. • And finally, free resources: wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); wolfSSL_Cleanup();

94. • PKI and X.509 Optimizations • Algorithm Choices and Performance

    • Footprint Optimization • TLS Session Cache • Hardware Crypto and Assembly Optimizations • Stack vs. Heap Usage • Math Library Selection • TLS Record Size

95. • Use appropriate Key Sizes ◦ Smaller = faster, less

    memory usage ◦ Larger = more secure • Remain conscious of algorithm selection ◦ Some algorithms are more performant than others ◦ Some algorithms require more/less memory • Certificate formats affect footprint size (DER vs. PEM) • Keep certificate chain lengths in mind when designing PKI

96. Ref: NIST SP800-57 Part 1

97. keylength.com Recommended key lengths across several organization recommendations.

98. None
99. None

100. • Take advantage of hardware cryptography ◦ Reduces the footprint

     size by eliminating software algorithms ◦ Increases performance vs. software crypto
101. None

102. • Take Advantage of Assembly Optimizations ◦ Currently Available defines

     in wolfSSL: TFM_X86 TFM_X86_64 TFM_SSE2 TFM_ARM TFM_PPC32 TFM_PPC64 TFM_AVR32 TFM_ASM

103. • Optimize footprint (FLASH usage) of library ◦ Compile out

     unneeded algorithms ▪ Example: “./configure --disable-arc4 --disable-sha” ◦ Disable error strings ▪ Remove strings corresponding to error codes ◦ Disable debug symbols ▪ Example: “./configure --disable-debug”

104. • Adjust the Session Cache ◦ TLS Session Cache sizes

     are configurable (wolfSSL defaults to 33 sessions, about 3k RAM) ▪ NO_SESSION_CACHE • Save ~3kB ▪ SMALL_SESSION_CACHE • 6 sessions (less than 500 bytes RAM) ▪ MEDIUM_SESSION_CACHE • 1055 sessions (200 sessions/minute) ▪ BIG_SESSION_CACHE • 20,027 sessions ▪ HUGE_SESSION_CACHE • 65,791 sessions (13,000 sessions/minute or over 200/second)

105. • Preference between stack vs heap allocation? ◦ Different math

     library choices ◦ Different compile-time build options ◦ Performance of memory on stack vs heap

106. • RSA Cipher Suites (wolfSSL) Math Library Key Size Peak

     Stack Use Peak Heap Use fastmath 1024 10k 9k fastmath 2048 13k 11k normal 1024 6k 14k normal 2048 7k 17k

107. • ECC Cipher Suites (wolfSSL) Math Library Key Size Peak

     Stack Use Peak Heap Use fastmath 256 7k 12k normal 256 6k 15k

108. • wolfSSL fastmath notes ◦ FP_MAX_BITS should be set to

     twice the maximum key size if key is modable by 32 ▪ For 2048-bit RSA keys, should be set to 4096 ▪ For 256-bit ECC keys, should be set to 512 ▪ Non-32 multiple sizes should be (keysize * 2) + size of digit bit (32 typically) ◦ TFM_TIMING_RESISTANT ▪ Reduces stack usage ◦ ECC_TIMING_RESISTANT ▪ Reduces heap usage, but slower

109. • TLS Record Size ◦ RFC specified maximum as 2^14

     bytes (plus some overhead) ◦ Can be reduced in two ways: ▪ Manually lowering the buffer size on client and server • Must control both client and server ▪ Using the TLS Maximum Fragment Length Extension • Server must support, otherwise ignores
110. None
111. None