The wolfSSL lightweight SSL/TLS library now includes TLS 1.3 support. This slide deck, from a seminar given in Tokyo, Japan, covers the differences in TLS 1.3 and what wolfSSL currently supports.
Communication Smart Energy Appliances Games Sensors Internet of Things Databases Mobile Phones Printers Applications Connected Home Industrial Automation M2M Routers We Secure the Internet by Securing Data
Rest Firmware Updates - Secured with SSL/TLS, SSH - Possible Transfer Mediums: TCP/UDP/Bluetooth/Serial/etc - Secured with Cryptography - Secured with SSL/TLS, crypto, MQTT - Prevent malicious firmware flashing and updates
◦ Unburden your engineers from the details of cryptography ◦ Get your cryptography done right! • Possible uses ◦ Get brought up on a board! ◦ Port to hardware-based cryptography wolfSSL Kickstart Power Program!
to TLS 1.3 and DTLS 1.2 • 20-100 kB footprint • 1-36 kB RAM per session • Up to 20X Smaller than OpenSSL • Long list of supported operating systems Windows, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, WinCE Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, NonStop TRON/ITRON/uITRON, Micrium uC/OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, ARC MQX
authentication is optional • Can happen via asymmetric cryptography (RSA, ECSDA) or a pre-shared key (PSK) Confidentiality • Data is only visible to endpoints (client/server) Integrity • Data cannot be modified by attackers Primary Goals of TLS
SUITE is negotiated during the SSL Handshake Protocol_keyexchange_WITH_bulkencryption_mode_messageauth TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Hash Functions SHA, SHA-256, ... Block and Stream Ciphers 3DES, AES, Camellia, ... Public Key Algorithms RSA, ECC, NTRU, ... What is SSL / TLS?
strategies • Sent by client and server • Notifies receiving party that subsequent records will be protected under newly negotiated CipherSpec and keys TLS Sub-Protocols
TLS record header ▪ Decrypts received data ▪ Verifies data (using MAC) ▪ Decompresses ▪ Reassembles ▪ Delivers result to higher level TLS Sub-Protocols
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Hello Verify Request ◦ Sent in response to Client Hello ◦ Sends the stateless cookie to prevent against DDoS attacks ◦ Client should sends another ClientHello back with the same cookie in it
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Hello ◦ Sent in response to Client Hello ◦ Only when it can find acceptable set of algorithms ◦ Includes: ▪ Protocol version ▪ Random ▪ Session ID ▪ Cipher Suite ▪ Compression Method ▪ Extensions
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Certificate ◦ Server’s certificate chain ◦ X.509 v3 Certificates ◦ Must be compatible with selected key exchange algorithm ◦ Not sent when using PSK cipher suites ◦ On receiving this message, client validates the certificate chain
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Key Exchange ◦ Sent when the Certificate message doesn’t contain enough data for client to exchange pre-master secret ◦ For DHE and ECDHE cipher suites ▪ Contains the server’s half of the key agreement ▪ Must be signed with server’s private key ◦ For PSK, just contains the server key name
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Server Hello Done ◦ Indicates end of Server Hello ◦ After sending, server will wait for client response
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • (Client Certificate) ◦ Client’s certificate chain, may be empty ◦ X.509 v3 Certificates ◦ Must be compatible with selected key exchange algorithm ◦ Not sent when using PSK cipher suites or not requested ◦ On receiving this message, server validates the certificate chain
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Client Key Exchange ◦ For RSA cipher suites, contains the pre-master secret encrypted with the server’s public key ◦ For DHE or ECDHE cipher suites, contains the client’s half of the key agreement ◦ On receipt of this message, both sides now have enough information to generate the master secret and the session keys using the PRF, Pseudo Random Function
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Certificate Verify ◦ Client sends the Certificate Verify message when sending a certificate ◦ Hash of handshake messages to this point ◦ Signed with the client’s private key ◦ Server verifies with client’s public key
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Change Cipher Spec ◦ Sent by both client and server ◦ This is not part of the handshake protocol, but part of the handshake. ◦ Indicates to the peer that this endpoint is now using the negotiated cipher suite and keys
Certificate Request Certificate Client Key Exchange Certificate Verify Change Cipher Spec Finished Change Cipher Spec Finished Server Hello Done Hello Verify Request • Finished ◦ First message encrypted with the negotiated cipher suite and session keys ◦ Contains hash of all handshake messages exchanged to this point ◦ Verifies that the authentication and key generation was successful
it was invented in 1995 • It is recommended to: ◦ Use the most current TLS protocol and secure algorithms ◦ Have a software/firmware update system to stay updated with new TLS library versions TLS Vulnerabilities
CBC-mode for TLS (1.1 and 1.2) and DTLS (1.0 and 1.2) • Based on a delicate timing analysis of the decryption processing needed in block mode • Fix: Don’t use CBC mode with TLS 1.1 or 1.2, OR use a patched implementation (wolfSSL has been patched!) Lucky 13
use DH and DHE EXPORT keys (512 bits or less) • wolfSSL has never supported EXPORT DH/DHE cipher suites • Fix: Don’t use EXPORT grade DH and DHE cipher suites Logjam
authentication with a static (EC)DH private key ◦ The injection of a known certificate/key pair into the client • wolfSSL ◦ Does support static ECDH cipher suites, but does not support static DH cipher suites ◦ Client authentication is supported in wolfSSL ◦ But, ecdsa_fixed_ecdh is not supported, meaning yaSSL / CyaSSL / wolfSSL are not vulnerable to the attack Pandora’s Box Attack
(Birthday attacks can be used to find collisions in a cryptographic hash function) • An attack on block cipher algorithms that use a block size of 64 bits (ex: 3DES) • Fix: Don’t use 3DES (wolfSSL has it disabled by default) SWEET32
2014 - Draft 00, 01 July 7, 2014 - Draft 02 October 27, 2014 - Draft 03 January 3, 2015 - Draft 04 March 9, 2015 - Draft 05 June 29, 2015 - Draft 06 July 8, 2015 - Draft 07 August 28, 2015 - Draft 08 October 5, 2015 - Draft 09 October 19, 2015 - Draft 10 December 28, 2015 - Draft 11 February 2016 - TLS Working Group Workshop to analyze TLS 1.3 designs March 21, 2016 - Draft 12 May 22, 2016 - Draft 13 July 11, 2016 - Draft 14 August 17, 2016 - Draft 15 September 22, 2016 - Draft 16 October 20, 2016 - Draft 17 October 26, 2016 - Draft 18 March 10, 2017 - Draft 19 April 28, 2017 - Draft 20 July 3, 2017 - Draft 21 • In development for over 4 years now • 21 drafts so far History of TLS 1.3
all “legacy” algorithms • Remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) • Ciphersuite concept has changed to separate authentication and key exchange mechanisms from the record protection algorithm and a hash to be used with key derivation function and HMAC TLS 1.3 - Major Differences from TLS 1.2
ServerHello are now encrypted • New EncryptedExtension allows extensions previously sent in the clear in ServerHello to also be encrypted TLS 1.3 - Major Differences from TLS 1.2
cryptographers due to improved key separation properties • HMAC-based Extract-and-Expand Key Derivation Function (HKDF) used TLS 1.3 - Major Differences from TLS 1.2
• Includes new signature algorithms (ex: ed25519, ed448) • Point format negotiation removed in favor of single point format per curve TLS 1.3 - Major Differences from TLS 1.2
• TLS 1.3 removes this in favor of a version list in an extension • Increases compatibility with servers which incorrectly implemented version negotiation TLS 1.3 - Major Differences from TLS 1.2
material and select the cryptographic parameters. Everything after this is encrypted. b. Server Parameters ▪ Establish other handshake parameters (ex: client authentication, ALPN, etc) c. Authentication ▪ Authenticate the server (optionally the client), provide key confirmation and handshake integrity TLS 1.3 - FULL Handshake
+ psk_key_exchange_modes* + pre_shared_key* ◦ Random nonce (ClientHello.random) ◦ Protocol version (TLS 1.3) ◦ List of symmetric cipher/HKDF hash pairs ◦ Set of Diffie-Hellman key shares (in “key_share” extension) AND/OR ◦ Set of pre-shared key labels (in “pre_shared_key” extension) ◦ Optionally, other extensions TLS 1.3 - Key Exchange
indicating negotiated connection parameters ◦ If EC(DHE) used, contains “key_share” extension with server’s ephemeral DH share (in same group as one of client’s shares) ◦ If PSK, contains “pre_shared_key” extension indicating which of client’s PSKs was selected ◦ If EC(DHE) and PSK are used together, both extensions are present ServerHello + key_share* + pre_shared_key* TLS 1.3 - Key Exchange
are not required to determine cryptographic parameters • Server sends CertificateRequest ◦ If client authentication is desired (otherwise omitted) {EncryptedExtensions} {CertificateRequest*} TLS 1.3 - Server Parameters
and server ◦ Certificate of endpoint and any per-certificate extensions • CertificateVerify message ◦ Signature over entire handshake, using private key corresponding to public key in Certificate message • Finished message ◦ MAC over entire handshake ◦ Provides key confirmation, binds endpoint identity to exchanged keys ◦ Authenticates handshake in PSK mode {Certificate*} {CertificateVerify*} {Finished} TLS 1.3 - Authentication
Server corrects mismatch with a HelloRetryRequest and client needs to restart handshake ▪ Example: Client includes only DHE or ECDHE groups unsupported by server ◦ If no common cryptographic parameters can be negotiated, server aborts handshake TLS 1.3 - Incorrect DHE Share
demonstrate reachability at their network address 2. Allows server to offload state to client, allowing it to send HelloRetryRequest without storing any state TLS 1.3 - Cookie Extension
established in a previous connection and then reused ◦ “Session resumption” ◦ Once handshake has completed, server can send client a PSK identity that corresponds to a key derived from the initial handshake ◦ Client can then use that PSK identity in future handshakes to negotiate use of the PSK TLS 1.3 - Optimized Handshake Variants
client’s PSK, security context of new connection is tied to the original handshake ◦ The key derived from the initial handshake is used to bootstrap the state of a full handshake ◦ TLS 1.2 (and below) used “session IDs” and “session tickets” ▪ Both now obsolete in TLS 1.3 TLS 1.3 - Optimized Handshake Variants
used with (EC)DHE key exchange ▪ Provides forward secrecy in combination with shared keys ◦ PSKs can be used alone ▪ Loses forward secrecy TLS 1.3 - Optimized Handshake Variants
authenticating via PSK, it does not send a Certificate or CertificateVerify message ◦ Client should supply “key_share” extension when resuming with PSK ▪ Allows server to decline resumption and fall back to full handshake ◦ Server responds with “pre_shared_key” extension to negotiate use of PSK ▪ Can also send “key_share” extension to do (EC)DHE TLS 1.3 - Optimized Handshake Variants
send data on the 1st flight ▪ AKA: “early data” ◦ Client uses the PSK to authenticate server and to encrypt early data ◦ PSK can be obtained externally or via previous handshake TLS 1.3 - Optimized Handshake Variants
following must be provisioned to both client and server: ▪ Cipher suite for use with the PSK ▪ Application-Layer Protocol Negotiation (ALPN) protocol, if any ▪ Server Name Indication (SNI), if any is to be used TLS 1.3 - Optimized Handshake Variants
to the 1-RTT handshake in the first flight ◦ Rest of the handshake uses the same messages as 1-RTT with PSK resumption TLS 1.3 - Optimized Handshake Variants
(encrypted only under keys derived using offered PSK) ◦ No guarantees of non-replay between connections ▪ Server has no guarantee that the same 0-RTT data was not transmitted on multiple 0-RTT connections ▪ Relevant if data is authenticated either with TLS client authentication or inside the application layer protocol. TLS 1.3 - Optimized Handshake Variants
NOT use 0-RTT data without a profile that defines its use ▪ Profile needs to identify which messages or interactions are safe to use with 0-RTT TLS 1.3 - Optimized Handshake Variants
- 2 complete round trips ▪ TLS 1.3 - 1 complete round trip ◦ Network latency has less impact on required time to establish a secure connection ◦ Optionally, 0-RTT with data in the first flight! TLS 1.3 Advantages
wolfssl-X.X.X.zip $ cd wolfssl-X.X.X $ ./configure --enable-tls13-draft18 $ make $ unzip wolfssl-X.X.X.zip $ cd wolfssl-X.X.X $ ./configure --enable-tls13 $ make Compiling wolfSSL with TLS 1.3
During creation of a WOLFSSL_CTX: • Or, extended versions that allow application to provide a heap pointer: WOLFSSL_METHOD* wolfTLSv1_3_server_method(void); WOLFSSL_METHOD* wolfTLSv1_3_client_method(void); WOLFSSL_METHOD* wolfTLSv1_3_server_method_ex(void* heap); WOLFSSL_METHOD* wolfTLSv1_3_client_method_ex(void* heap); wolfSSL TLS 1.3 API Usage
to avoid storing state ◦ Must define WOLFSSL_SEND_HRR_COOKIE or ◦ ./configure --enable-hrrcookie int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, unsigned char* secret, unsigned int secretSz); secret - Secret to use when generating integrity check for cookie. A value of NULL indicates to generate a new random secret. secretSz - Size of secret data in bytes. Use a value of 0 to indicate use of default size. wolfSSL TLS 1.3 API Usage
KeyUpdate handshake message to indicate sender is updating its sending cryptographic keys ◦ Can be sent by either peer after it has sent a Finished message int wolfSSL_update_keys(WOLFSSL* ssl); ssl - Initialized wolfSSL session structure wolfSSL TLS 1.3 API Usage
client has sent “post_handshake_auth” extension, server may request client authentication at any time after handshake has completed by sending CertificateRequest message ◦ Must define WOLFSSL_POST_HANDSHAKE_AUTH or ◦ ./configure --enable-postauth int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx); int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl); ctx - Initialized wolfSSL context structure ssl - Initialized wolfSSL session structure wolfSSL TLS 1.3 API Usage
called any time after handshake completion. ◦ A maximum of 256 requests can be sent on a connection. int wolfSSL_request_certificate(WOLFSSL* ssl); ssl - Initialized wolfSSL session structure wolfSSL TLS 1.3 API Usage
version is expecting to be TLS v1.3. ◦ If the server downgrades, and older versions of the protocol are compiled in, the client will fallback to wolfSSL_connect(). int wolfSSL_connect_TLSv13(WOLFSSL* ssl); ssl - Initialized wolfSSL session structure wolfSSL TLS 1.3 API Usage
The protocol version is expecting to be TLS v1.3 ◦ If the client downgrades, and older versions of the protocol are compiled in, the server will fallback to wolfSSL_accept() int wolfSSL_accept_TLSv13(WOLFSSL* ssl); ssl - Initialized wolfSSL session structure wolfSSL TLS 1.3 API Usage
be seen by server when using session tickets for resumption. ◦ A value of zero indicates no early data is to be sent by client using session tickets ◦ WOLFSSL_EARLY_DATA needs to be defined or ◦ ./configure --enable-earlydata int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz); int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz); wolfSSL TLS 1.3 API Usage
depend on security software ◦ Providing data integrity, confidentiality, and authentication • Expectation of Security ◦ Lack of testing can allow vulnerabilities and crashes • Maturity and Trust ◦ Users must be able to trust secure software ◦ Increases confidence of code quality
C. Algorithm Testing D. Static Analysis E. Detecting Memory Errors F. Interoperability Testing G. Peer Review H. Third Party Testing I. Fuzz Testing (edge cases) J. Continuous Integration K. Nightly Test Cycle
for correct behavior - Test success and failure cases - Verify functions behave as expected - Test library consistency wolfSSL Uses: - Unit tests for exposed API - No external dependencies - Run with each “make check” - Manually with: $ cd wolfssl-3.12.0 $ ./configure $ make $ ./tests/unit.test starting unit tests... Begin API Tests ... End API Tests
connection with provided cipher suite - Verify suite works as expected wolfSSL Uses: - Tests all cipher suites against ourselves - Run with each “make check” - Manually as part of unit test - 196 cipher suite tests in default build - 300 cipher suite tests w/ DTLS on - (49 / 75 suites) Cipher Suite Examples: TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_PSK_WITH_AES_256_CCM_8 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_NTRU_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [...]
starting default cipher suite tests notice: using default file tests/test.conf trying server command line[25]: SuiteTest -v 3 -l DHE-RSA-CHACHA20-POLY1305 trying client command line[25]: SuiteTest -v 3 -l DHE-RSA-CHACHA20-POLY1305 SSL version is TLSv1.2 SSL cipher suite is TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ... repeating test with non blocking on ... repeating test with client cert request off ... repeating test with client cert request off repeating test with non blocking on
correctly - Test NIST algorithm vectors - Test FIPS 140-2 test vectors - Algorithm should match expected input/output wolfSSL Uses: - Test crypto works as expected - Two separate tests: 1. wolfCrypt test suite (test.c) 2. FIPS 140-2 test harness Algorithm Examples: Hash Functions: MD5, SHA1, SHA-2, SHA-3 Block Ciphers: AES, 3DES, Camellia Stream Ciphers: RC4, ChaCha, RABBIT, HC-128 Public Key: RSA, DSA, ECC, NTRU
passed! SHA-256 test passed! [...] GMAC test passed! Chacha test passed! POLY1305 test passed! DES test passed! DES3 test passed! AES test passed! AES-GCM test passed! RANDOM test passed! RSA test passed! DH test passed! ECC test passed! wolfCrypt CAVP Test Vector Harness (version 1.0) INFO: Testing wolfCrypt version: 3.8.0 Parsing configuration file: cavp.conf INFO: Running algorithm test vectors: ------------------------------------------ [1/18] ./vectors/AES/req/CBCGFSbox128.req OUT = ./vectors/AES/rsp/CBCGFSbox128.rsp Expected: PASSED! [2/18] ./vectors/AES/req/CBCGFSbox192.req OUT = ./vectors/AES/rsp/CBCGFSbox192.rsp Expected: PASSED! [...]
other implementations - Helps verify protocol and feature implementations - Real world apps may run against other libraries wolfSSL Uses: - Interop testing with other SSL/TLS implementations, including: • OpenSSL • BoringSSL • GnuTLS • mbed TLS (PolarSSL)
by external researchers, labs, and security teams wolfSSL Uses: - Reviews done on a regular basis by: • University researchers • Customer/user security teams • FIPS/certificate labs • Open Source user base - Being Open Source makes this easy!
cases that developers may not think about testing - Tests corrupt TLS records, X.509 certs, and keys - Helps find bugs early that could have been a vulnerability - Guided probability based mutation of public facing buffers, in an attempt to make the library crash wolfSSL Uses: - Two main fuzzers: • wolfFuzz - Operates over memory buffers instead of TCP/IP • wolfSSL Network Fuzzer - Runs over TCP/IP - (-) much slower - (+) flexible with other client/servers or protocols
each pull request submitted - Integrates into development workflow - Finds bugs that developers may have missed, before code gets into master wolfSSL Uses: - Jenkins for CI on each pull request: • Tests FIPS build • Known Configurations (customer/user/common) • Valgrind • Static analysis (scan-build)
tests (multiple hours) - More in depth testing than CI - Results in devs inboxes each AM wolfSSL Uses: - Jenkins for Nightly Testing: • ./configure build option tests (multi-platform, multi-compiler) • Known Configurations • Extended Fuzz Testing
D. Static Analysis E. Detecting Memory Errors F. Interoperability Testing G. Peer Review H. Third Party Testing I. Fuzz Testing (edge cases) J. Continuous Integration K. Nightly Test Cycle In Recap
wolfssl
jaguar_imo
sullis
genkiogasawara
gotok365
seike460
ivargrimstad
faithandbrave
manfredsteyer
ryukobayashi
lovee
o0h
kj455
tammyeverts
speakerdeck
bkeepers
danielanewman
skipperchong
geeforr
trallard
chrisshort
jeffersonlam
rmw
zenorocha
gr2m
![Thanks! Questions? [email protected] www.wolfssl.com Bozeman, MT : Seattle, WA :](https://files.speakerdeck.com/presentations/9db7dd0e6ac84668953f6e660d05029a/slide_151.jpg){kind=link}