Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session...
Transcript of Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session...
OverviewofTLSv1.3What’snew,what’sremovedand
what’schanged?
AboutMe
• AndyBrodie– WorldpayPrincipalDesignEngineer.
– BasedinCambridge,UK.– [email protected]
• Neitheracryptographernoramathematician!– Thismeansnomathsinthispresentation.
Agenda
• History&Background.
• What’sBeenRemoved.
• What’sNew&Changed.– CipherSuites.
– HandshakeChanges.
– Hashed-KeyDerivationFunction.
– SessionResumption.
• Summary.
3
HISTORY&BACKGROUNDTheGoalsandBasicsofTLS
4
HowSSLbecameTLS
5
When Who What Comments
1994 Netscape SSL1.0designed. Neverpublishedassecurityflawswerefoundinternally.
1995 Netscape SSLv2.0published. Flawsfoundprettyquickly,whichledto…
1996 Netscape SSLv3.0published. SSLbecomesubiquitous.
1999 IETF TLSv1.0published(SSLv3.1) Incrementalfixes,politicalnamechangeandIETFownership.
2006 IETF TLSv1.1published(SSLv3.2) Incrementalfixesandcapabilities.
2008 IETF TLSv1.2published(SSLv3.3) Whatweshouldallbeusing!
2014 IETF TLSv1.3draft1(SSLv3.4)
2018 IETF TLSv1.3draft23 ExpiresJuly15
Stoptoconsidertheawesomeness!
AClientandServercanhaveasecureconversationoveraninsecuremediumhavingnevermetbefore.
Whatisasecureconversation?
• Privacy– Conversationmustbeencrypted.– Preventeavesdroppingattacks.
• Integrity– Client&Servermustbeabletodetectmessagetampering.– PreventManInTheMiddle(MITM)attacks.
• Authentication– Clientneedstotrustthey’retalkingtotheintendedserver.– Preventimpersonationattacks.
TLSachievesthisusingvarioustechniques…
• Privacy– Symmetrickeyencryptionforapplicationdata.– TypicallyAdvancedEncryptionStandard(AES).
• Integrity– AuthenticatedEncryptionwithAdditionalData(AEAD).– UsuallyAES-GCM(Galois/CounterMode)ciphermode.
• Authentication– X509certificatessignedbyamutuallytrustedthirdparty.– Typicallyserverauthenticatedonly.
FlowofmessagesinaTLSconversation
9
Handshake
Alert
OpenSocket
CloseSocket
ApplicationData
FlowofmessagesinaTLSconversation
• Handshake– Agreeaciphersuite.– Agreeamastersecret.– Authenticationusingcertificate(s).
• ApplicationData– Symmetrickeyencryption.– AEADciphermodes.– TypicallyHTTP.
• Alerts– Gracefulclosure,or– Problemdetected.
10
Handshake
Alert
OpenSocket
CloseSocket
ApplicationData
TLSV1.3https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html
KeyGoalsofTLSv1.3
• KeyGoalsofTLSv1.3:– Cleanup-Removeunsafeorunusedfeatures.
– Security-Improvesecurityw/moderntechniques.
– Privacy-Encryptmoreoftheprotocol.
– Performance–1-RTTand0-RTThandshakes.
– Continuity–Backwardscompatibility.
12
WHAT’SREMOVEDINTLSV1.3?
13
What’sremovedinTLSv1.3
• KeyExchange– RSA
• Encryptionalgorithms:– RC4,3DES,Camellia.
• CryptographicHashalgorithms:– MD5,SHA-1.
• CipherModes:– AES-CBC.
• Otherfeatures:– TLSCompression&SessionRenegotiation.– DSASignatures(ECDSA≥224bit).– ChangeCipherSpecmessagetype&“Export”strengthciphers.– Arbitrary/Custom(EC)DHEgroupsandcurves.
14
Thishasmitigatedquiteafewattacks…
15
RC4• Roos’s Bias 1995 • Fluhrer, Martin & Shamir 2001 • Klein 2005 • Combinatorial Problem 2001 • Royal Holloway 2013 • Bar-mitzvah 2015 • NOMORE 2015
MD5&SHA1• SLOTH 2016 • SHAttered 2017
AES-CBC• Vaudenay 2002 • Boneh/Brumley 2003 • BEAST 2011 • Lucky13 2013 • POODLE 2014 • Lucky Microseconds 2015RSA-PKCS#1v1.5Encryption
• Bleichenbacher 1998 • Jager 2015 • DROWN 2016 Compression
• CRIME 2012Renegotiation
• Marsh Ray Attack 2009 • Renegotiation DoS 2011 • Triple Handshake 2014
3DES• Sweet32
WHAT’SNEWANDCHANGED?
16
What’sNewandChanged?
• CipherSuites.
• Handshake.
• Hashed-KeyDerivationFunction(HKDF).
• KeySchedule.
• Sessions.
17
CIPHERSUITES
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Protocol
KeyExchange
AEADCipherMode
PRFHashAlgorithm
Authentication
TLSv1.2provides37CipherSuites
• TLS1.2specifies37ciphersuites.– Addpreviousversionsin:319ciphersuites.
TLS1.3CipherSuites
• TLSv1.3supports5ciphersuites.– TLS_AES_128_GCM_SHA256– TLS_AES_256_GCM_SHA384– TLS_CHACHA20_POLY1305_SHA256– TLS_AES_128_CCM_SHA256– TLS_AES_128_CCM_8_SHA256
20
TLS_AES_128_GCM_SHA256
AEADCipherMode
HKDFHashAlgorithm
Protocol
Whathappenstokeyexchangeandauthenticationthen?
• KeyExchangealgorithms:– DHE&ECDHE
• Only5ECDHEcurvegroupssupported• Only5DHEfinitefieldgroupssupported
– Pre-SharedKey(PSK)– PSKwith(EC)DHE
• DigitalSignature(Authentication)algorithms:– RSA(PKCS#1variants)– ECDSA/EdDSA
21
HANDSHAKECHANGES
TLSHandshake
• Thehandshakehasthreegoals:– Agreeaciphersuite.
– Agreeamastersecret.
– EstablishtrustbetweenClient&Server.
• Optimiseforthemostcommonusecases.– Everyone*wantsasecureconversation.
– Sameciphersuitesusedacrosswebsitesrepeatedly.
– Clientsconnecttothesamesitesrepeatedly.
23*ok,almosteveryone!
TLS1.2Handshake
ThreeStagesofaTLS1.3Handshake
25
KeyExchange
ServerParameters
Authentication
Clientnowmakesassumptionsaboutserversupport.
• Clientsends:– CipherSuiteoptions.– Listofsupportedgroups/curves.– (EC)DHEKeyShare(s).
• Serversends:– Ciphersuiteselection.– (EC)DHEKeyShare
• ClientandServernowshareakey.
26
Therestofthehandshakeisencrypted.
• Serversends:– EncryptedExtensions
• ServerName
• MessageLength
• …andoptionallymanymore
– CertificateRequest• Supportedsignaturealgorithms.
27
Clientnowmakesassumptionsaboutserversupport.
• Serversends:– Certificate.– Proofofprivatekeypossession.– Finished.– ApplicationData
• Clientresponds:– Certificate.– Proofofprivatekeypossession.– Finished.
28
EfficiencyGains
29
GENERATINGKEYSUSINGHKDF
30
HKDF(RFC5869) HMAC-basedKeyDerivation
Function
• TLS<=v1.2definesPRFalgorithm.
• TLSv1.3replacesthiswithHKDF.– HKDFencapsulateshowTLSusesHMAC.– Re-usedinotherprotocols.– Separatecryptographicanalysisalreadydone.
• Provides2functions:– Extract-createapseudo-randomkeyfrominputs.– Expand-createmorekeysfromtheextractoutput.
• HMACisintegraltoHKDF.– HMACrequirestheCryptographicHashalgorithmspecifiedinthecipher
suite(SHA256orSHA384).
31
HowthePRFisimplemented
32
KeyMaterial
HMAC(SHA-256)label+seed
PRF(secret,label,seed)
P_HASH(secret,label+seed)
TLS<=v1.2CreatingKeyMaterialfromamastersecret
Pre-masterSecret MasterSecret KeyMaterial
ServerWriteKey
ClientWriteKey
ClientWriteIV
ServerWriteIV
ServerMACKey
ClientMACKey
48bytes>=46bytes ∞
PRF
PRF
TLSv1.3KeyScheduleGeneration
34
ClientEarlyTrafficSecretBinderKey
HandshakeSecret
ClientTrafficHandshakeSecret
ServerTrafficHandshakeSecret
(EC)DHE
ClientApplicationTrafficSecret0
DeriveSecret
PSK EarlySecret
0
EarlyExporterMasterSecret
MasterSecret
DeriveSecret
0
ServerAppTrafficSecret0
ExporterMasterSecret
ResumptionMasterSecret
ClientApplicationTrafficSecretN
ServerAppTrafficSecretN
Derive-Secret
HKDF-Expand-Label
HKDF-Extract
Derive-SecretFixed
PSKTicketNNonceN
PRE-SHAREDKEYSANDSESSIONSWhat’sthedifference?
35
Whydoweneedsessions?
• Fullhandshakesareexpensive.– Keygeneration.
– Server(&Client)Authentication.
• ManyHTTPclientsneedit.– Downloadwebpageresources(JS,CSS,images).
– Dynamicwebpages(XHR).
– Maynotbefeasibletokeepconnectionopen.
36
HowdoweestablishaPSK?
• Out-of-band– AddedtoTLSin2006viaRFC4279.
• DuringHandshake– Clientannouncesitsupportssessionresumption.– ServerprovidesaPSKidentitiesduringhandshake.
• Afterhandshake,Serversends“NewSessionTicket”– ContainsPSKidentity,nonceandmaxage.– ThePSKisderivedfrommastersecret.– Servercansendmultipletickets.
37
So,TLSv1.3supportsPSK-basedsessionresumption
38
becomes…
WhataboutZeroRoundTripTime(0-RTT)?
• PSKmeansthekeyisknowntobothsides.– DoesthismeanClientcansenddataimmediately?
– Canwehaveazeroroundtriptimehandshake?
39
Yes,wecan!• But…
– Noforwardsecrecyforthe“earlydata”sentbyclient.
– Noguaranteesofnon-replay.
So,TLSv1.3supportsPSK-basedsessionresumption
40
becomes…
BACKWARDSCOMPATIBILITYExtensions…Extensionseverywhere!
41
BackwardsCompatibility
• Backwardscompatibilityisimportant– TLSv1.3clientsneedtotalktoTLSv1.2servers.– TLSv1.2clientsneedtotalktoTLSv1.3servers.
• StructureofHellomessagesismaintained.– 12extensionsdefinedintheRFC.– 9extensionsdefinedinotherRFCs.
• E.g.serverkeyexchangemessagereplacedwithkey_shareextension.
42
Alltheextensions
43
Extension TLS1.3
server_name[RFC6066] CH,EE
max_fragment_length[RFC6066] CH,EE
status_request[RFC6066] CH,CR,CT
supported_groups[RFC7919] CH,EEsignature_algorithms[RFC5246] CH,CR
use_srtp[RFC5764] CH,EE
heartbeat[RFC6520] CH,EE
application_layer_protocol_negotiation[RFC7301] CH,EE
signed_certificate_timestamp[RFC6962] CH,CR,CT
client_certificate_type[RFC7250] CH,EEserver_certificate_type[RFC7250] CH,CT
padding[RFC7685] CH
key_share CH,SH,HRR
pre_shared_key CH,SH
psk_key_exchange_modes CH
early_data CH,EE,NSTcookie CH,HRR
supported_versions CH
certificate_authorities CH,CR
oid_filters CR
post_handshake_auth CH
Acronym Message
CH ClientHello
SH ServerHello
EE EncryptedExtensions
CT CertificateCR CertificateRequest
NST NewSessionTicket
HRR HelloRetryRequest
BackwardsCompatibilityConsiderations
• ProtocolVersionismentionedineverymessage.– Nowdeprecated/fixedtooldversionvalues
– Handshakeclaims1.2,AppDataclaims1.0.
– Newextensionspecifieslistofsupportedversions.
• Fixedvaluestopreventdowngradeattacks.– Server“Random”hasfixedlast8bytes
• DOWNGRD[0x01]forTLS1.2clients.
• DOWNGRD[0x00]for<=TLS1.1clients.
44
Andthat’sTLSv1.3!
• Removed– Anythingthatwasunused,unsafeordidn’toffersignificantvalue.
• Added– Handshakeencryption.– 1-RTTand0-RTTPSK/SessionResumption.
• Changed– CipherSuites.– Handshake.– Hashed-KeyDerivationFunction(HKDF).– KeySchedule.– Sessions.
45
THANKYOUFORLISTENING!
Myownthoughts?
• TheGood:– Massiveefficiencygains*.
– FewerchoicesforClient&Servermeansreducedattackvectors.
• TheBad:– “Extensions….extensionseverywhere”(21)
– Alotofaddedcomplexityforbackwardscompatibility.
– Specificationconsumabilityisquestionable.
47*0-RTThasa“whiffoffutureregret”aboutit.
APPENDIXUnusedSlides
48
What’sthepointofthemastersecret?
• ClientandServerneed:– Keysforsymmetricencryption.– InitialisationVectorsforAEADCipherModes.
• Keys&IVsgeneratedfromamastersecret.
• TLSdefinesa“KeySchedule”– HowHKDFalgorithmisused.– Howtogenerateaninfiniteamountofsecurekeymaterial.
• So,howdoesHKDFwork?
49
HMAC(ISTHENEWPRF)HMAC-basedExtract-and-ExpandKeyDerivationFunction
50
WhatisHKDFusedfor?
• KeySchedules– HandshakeSecrets.– EarlyTrafficSecrets.– MasterSecret.– ApplicationDataSecrets.– InitialisationVectors.
• TranscriptHashes– CertificateVerification.– Handshake“Finished”Keys.
51
HKDF(RFC5869) HMAC-basedExtract-and-ExpandKeyDerivationFunction
• TLS<=v1.2definesPRFalgorithm.– HKDFencapsulateshowTLSusesHMAC.– Re-usedinotherprotocols.– Separatecryptographicanalysisalreadydone.
• Provides2functions:– Extract-createapseudo-randomkeyfrominputs.– Expand-createmorekeysfromthefirstkey.
• HMACisintegraltoHKDF.
52
CryptographicMACFunction:HMAC
• ItcreatesaMessageAuthenticationCodeusing:– Messagedata.
– Asharedkey.
– Acryptographichashalgorithm(setinciphersuite).
• SHA256orSHA384.
53
MessageAuthenticationCodes-Integrity
• Keyed-HashMessageAuthenticationCode
54
Ight
message
0x5c5c5c5c5c5c5c…
HMAC
hash
XOR
XOR’dSecretKey
0x36363636363636…
XOR’dSecretKey
XOR
hash
hash
HKDFExtract&Expand
• Extract– CreatesaPseudo-RandomKey(PRK)
Expand– CreatesinfinitekeymaterialfromthePRK.
– IterativelycallsHMACwithanincreasingcounter.
55
HKDF-Expand(PRK,info,L)->OKMT(0)=emptystring(zerolength)T(1)=HMAC-Hash(PRK,T(0)|info|0x01)T(2)=HMAC-Hash(PRK,T(1)|info|0x02)…
HKDF-Extract(salt,IKM)->PRKPRK=HMAC-Hash(salt,IKM)
However,it’sunfortunatelynotthatsimple…
56
“tls13“
char[6]
Label
Variable[12]
Length
enum
HashValue
Variable[255]
Messages[1]
Variable
Messages[n]
Variable
Messages[0]
Variable
…Hash( )
Derive-Secret(Secret,Label,Messages[])=
HKDF-Expand(
Hash.Length)
Secret,
,
ClientsaysHello
57
CHParameter Description Notes
ProtocolVersion Legacyslotforprotocolversion.
0x0303TLSv1.2
Random TheClientRandom NomoreUnixtime
SessionID SessionID Forced0bytelength
CipherSuites Symmetriccipheroptions OneofFive
CompressionMethods N/A Mustspecifynotsupported.
SupportedVersions Listofuint16 0x0304(TLSv1.3)
SignatureAlgorithms Listofsupported RequiredforClientCertAuth
NegotiatedGroups Requiredfor(EC)DHE
KeyShare Requiredfor(EC)DHE
Pre-SharedKey RequiredforPSK(incl.sessionresumption)
FirstContact:ClientHello
• Clientinitiatestheconnection.• Contents:
– Version(Legacy)• Unused,mustbesetto0x0303(TLSv1.2)
– ClientRandom• UsedinPRFtocreatemastersecret.
– SessionID(Legacy)• Ignored,keptforbackwardscompatibility.
– SupportedCipherSuites• Whatciphersuitesthisclientcansupport.
– Compression(Legacy)• Ignored,keptforbackwardscompatibility
– Extensions(TLSv1.3)• ListofsupportedTLSversions(mandatory)
– Extensions(Others)• Otherextensions,e.g.SNI
58
RSAKeyExchange&ForwardSecrecy
• TheproblemwithRSAkeyexchange:– Thepre-mastersecretisalwaysencryptedwiththepubliccertificatekeyinthecertificate.
– Thecertificatedoesn’tchange(often).
– Iftheprivatekeywasevercompromised,Evecouldreadeveryconversation.
59
SHA-1&MD5Weaknesses
• Cryptographichashalgorithmfeatures:– Findanymandm’suchthathash(m)=hash(m’)– Findm’givenmsuchthathash(m)=hash(m’)– Findmgivenxsuchthathash(m)=x
• MD5vulnerabilities:– Collisionattack–done.– Theoreticalattackonpre-image(2123operations).
• SHA-1vulnerabilities:– Collisionsattack–given6500CPU-yearsor1000-GPUyears.– Reducedcryptographicstrengthfrom160bitsto77bits.
60
RenegotiationAttacks[RRDO10]
61