cnit 141 cryptography for computer networks · 2019. 5. 7. · cryptography for computer networks...
TRANSCRIPT
![Page 1: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/1.jpg)
CNIT 141 Cryptography for Computer Networks
13. TLS
Updated 11-19-20
![Page 2: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/2.jpg)
New Projects and Topics
![Page 3: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/3.jpg)
Topics
• Target Applications and Requirements
• The TLS Protocol Suite
• TLS 1.3 Improvements Over TLS 1.2
• The Strengths of TLS Security
• How Things Can Go Wrong
![Page 4: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/4.jpg)
TLS
• Protects communications at layer 4
• Can carry any type of content
• Email, Web traffic, mobile apps, ...
• Machine-to-machine comms for IoT
![Page 5: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/5.jpg)
TLS Vulnerabilities
• TLS grew too big and bloated
• Many attacks
• Heartbleed
• BEAST
• CRIME
• POODLE
![Page 6: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/6.jpg)
TLS 1.3
• Overhaul of protocol
• Removed unnecessary features
• Replaced old algorithms
• Simpler, faster, and more secure
![Page 7: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/7.jpg)
Target Applications and Requirements
![Page 8: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/8.jpg)
Secure Channel
• TLS ensures that data is confidential, authenticated, and unmodified
• Prevents MiTM attacks
• By authenticating servers with trusted Certificate Authorities
![Page 9: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/9.jpg)
Four Requirements• Efficient
• Minimizing CPU load compared to unencrypted comms
• Interoperable
• Work on any hardware or OS
• Extensible
• Support additional features & algorithms
• Versatile
• Not bound to any specific application
![Page 10: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/10.jpg)
The TLS Protocol Suite
![Page 11: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/11.jpg)
Transport Layer• TLS is not in the transport
layer
• It's above layer 4, adding security to it
• Can run over TCP or UDP
• UDP version is called DTLS
• Datagram Transport Layer Security
![Page 12: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/12.jpg)
History
• SSL: began in 1995, from Netscape
• SSL 2.0 and SSL 3.0 had security flaws
• Should no longer be used
• TLS
• TLS 1.0 (1999): least secure
• TLS 1.1 (2006): better but contains weak algorithms
![Page 13: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/13.jpg)
TLS 1.2• From 2008
• Better than previous versions
• Complex and hard to configure
• Supports AES-CBC, vulnerable to padding oracle attacks
• Inherited dozens of features and design choices from earlier versions
• TLS 1.3 is a major overhaul and improvement
![Page 14: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/14.jpg)
TLS in a Nutshell
• Record protocol
• Data encapsulation
• Handshake protocol
• Key agreement
![Page 15: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/15.jpg)
TLS Handshake
• From Cloudflare (link Ch 13a)
![Page 16: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/16.jpg)
Hello
• ClientHello
• Lists ciphers available
• ServerHello
• Selects a cipher to use
![Page 17: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/17.jpg)
ClientHello
![Page 18: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/18.jpg)
ServerHello
![Page 19: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/19.jpg)
![Page 20: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/20.jpg)
Certificates and Certificate Authorities (CA)
• Server uses a certificate to authenticate itself
• Verified by a CA
• CA's public keys hard-coded into browsers
• Trusted third party
![Page 21: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/21.jpg)
Certificate
![Page 22: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/22.jpg)
Certificate Chain
![Page 23: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/23.jpg)
Record Protocol
![Page 24: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/24.jpg)
Zero Padding
• Adds zeroes to plaintext for short messages
• Mitigates traffic analysis
• Deducing contents from message size
![Page 25: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/25.jpg)
TLS 1.3 Cryptographic Algorithms
• Three types of algorithms are used
• Authenticated encryption
• Key derivation function
• Hash function that derives secret keys from a shared secret
• A Diffie-Hellman operation
![Page 26: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/26.jpg)
Authenticated Ciphers• TLS 1.3 supports only three algorithms
• AES-GCM
• AES-CCM
• Slightly less efficient than AES-GCM
• ChaCha20 stream cipher
• Combined with Poly1305 MAC
• Secret key can be 128 or 256 bits
• Unsafe 64-bit or 80-bit keys not allowed
![Page 27: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/27.jpg)
Key Derivation Function (KDF)
• HKDF, based on HMAC
• Uses SHA-256 or SHA-384
![Page 28: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/28.jpg)
Diffie-Hellman Two Options
• Elliptic Curve
• With the three NIST curves, or
• Curve25519, or Curve448
• Group of integers modulo a prime number
• Traditional Diffie-Hellman
• 2048 - 8192 bits
• Security of 2048-bit group is weak link
• Less than 100 bits
![Page 29: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/29.jpg)
TLS 1.3 Improvements Over TLS 1.2
![Page 30: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/30.jpg)
Removed Weak Algorithms
• MD5, SHA-1
• RC4, AES-CBC
• MAC-then-Encrypt alorithms
• Like HMAC-SHA-1
• Replaces with authenticated ciphers
• More efficient and secure
![Page 31: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/31.jpg)
Removed Insecure Feature
• Optional data compression
• Enabled the CRIME attack
• Length of the compressed message leaked information about contents
![Page 32: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/32.jpg)
New Features
• That make TLS 1.3 more secure
• Downgrade protection
• Single round-trip handshake
• Session resumption
![Page 33: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/33.jpg)
Downgrade Attack
• MiTM attacker modifies ClientHello
I want TLS 1.3
SendingServerHellofor TLS 1.1
Send herTLS 1.1instead
![Page 34: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/34.jpg)
Downgrade Protection
• To prevent this, 8 bytes in the ServerHello denote the TLS version
• They are cryptographically signed so the MiTM can't change them
• The client can check them to see what TLS version is being provided
![Page 35: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/35.jpg)
Single Round-Trip Handshake
• In TLS 1.2
• Client sends some data, waits for response
• Client sends more data, waits for response
• TLS 1.3 combines it all into one round-trip
• Saves time
![Page 36: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/36.jpg)
Session Resumption
• Leverages the pre-shared key exchanged in a previous session
• To bootstrap a new session
• Two benefits
• Client can start encrypting immediately
• No need for certificates
![Page 37: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/37.jpg)
![Page 38: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/38.jpg)
The Strengths of TLS Security
![Page 39: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/39.jpg)
Authentication
• TLS 1.3 handshake authenticates the server with a certificate and CA
• Client is not authenticated, but can authenticate after the TLS handshake with:
• Username & password in a TLS record
• Secure cookie over TLS
• A client certificate (rarely used)
![Page 40: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/40.jpg)
Forward Secrecy
• TLS 1.3 provides forward secrecy in both a data leak and a breach
• If an attacker can steal a client's RAM
• Exposes keys and secrets for the current session
• And any old sessions still stored in RAM
• Solution: use Secure Strings
![Page 41: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/41.jpg)
• Provided by Microsoft
• Since 2005 in .NET 2.0
• Link Ch 13b
![Page 42: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/42.jpg)
How Things Can Go Wrong
![Page 43: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/43.jpg)
Compromised CA
• Happened in 2011 to DigiNotar
• CA's private key compromised
• Attacker created fake certificates for Google services
![Page 44: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/44.jpg)
![Page 45: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/45.jpg)
![Page 46: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/46.jpg)
![Page 47: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/47.jpg)
Compromised Client
• Attacker who controls client can
• Capture session keys
• Read decrypted data
• Or install a rogue CA certificate
![Page 48: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/48.jpg)
Bugs in Implementation• Heartbleed
• Leaked secrets from HTTPS servers in 2014
![Page 49: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/49.jpg)
Improving TLS
• SSL Labs TLS test
• Lets you test any site's certificate
• Or a browser's TLS configuration
• Let's Encrypt
• Free TLS certificates for everyone
![Page 50: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/50.jpg)
![Page 51: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/51.jpg)
![Page 52: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/52.jpg)
![Page 53: CNIT 141 Cryptography for Computer Networks · 2019. 5. 7. · Cryptography for Computer Networks 13. TLS. Topics ... • Since 2005 in .NET 2.0](https://reader034.vdocument.in/reader034/viewer/2022051804/5fec284d0194f9301437c3f8/html5/thumbnails/53.jpg)