cse127: introductionto security

CSE 127: Introduction to

Security

Lecture 15: TLS

Nadia Heninger and Deian StefanUCSD

Fall 2019

Some material from Dan Boneh, Stefan Savage

Reminder: Network Attacker Threat Model

Network Attacker:

• Controls infrastructure: Routers, DNS• Eavesdrops, injects, drops, or modifies packets

Examples:

• Wifi at internet cafe• Internet access at hotels

Goal: Establish a secure channel to a host that ensures

• Confidentiality and Integrity of messages• Authentication of the remote host

Constructing a secure encrypted channel

• To ensure confidentiality and integrity: Encrypt and MAC data

• To negotiate shared symmetric keys: Diffie-Hellman keyexchange. Key Derivation Function (KDF) maps shared secret

to symmetric key.

• To ensure authenticity of endpoints: Digital Signatures

c = AESke(m), t = MACkm(c)

ga

gb

ke, km = KDF(gab) ke, km = KDF(gab)

RSApubB, SignB(ga, gb)

How does Alice know to trust Bob’s public signing key?


• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange. Key Derivation Function (KDF) maps shared secret

to symmetric key.



ga

gb



How does Alice know to trust Bob’s public signing key?

Public Key Infrastructure: Establishing Trust in Keys

Ways to establish trust in keys:

• Meet in person to exchange keys.• Not practical at scale over the internet



• Fingerprint verification• Verify a cryptographic hash of a public key through aseparate channel, or “trust on first use” (TOFU).

• This is used by SSH for host keys.nadiah$ ssh portal.cs.princeton.edu@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@The RSA host key for portal.cs.princeton.edu has changed,and the key for the corresponding IP address 128.112.155.171is unknown. This could either mean thatDNS SPOOFING is happening or the IP address for the hostand its host key have changed at the same time.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that a host key has just been changed.The fingerprint for the RSA key sent by the remote host isSHA256:9yBBea9Z0ER6asvvtNf6fRXVra6LOQ3OVZLtYKVpNc8.Please contact your system administrator.



• Fingerprint verification• Verify a cryptographic hash of a public key through aseparate channel, or “trust on first use” (TOFU).

• This is used by SSH for host keys.• This is also used by encrypted messaging apps like Signal



• Hard code public keys in software• “Certificate pinning” used by browsers



• Certificate Authorities• A certificate authority is a kind of commercial trustedintermediary.

• Certificate Authorities verify public keys and sign them inexchange for money.

• If you trust the certificate authority, you transitively trust

the keys it signs.

• This is used for TLS, software signing keys.



• Web of Trust• In a web of trust, you establish trust in intermediaries of

your choice.

• You then transitively trust the keys they sign.• This is used by PGP.

nadiah$ gpg --edit-key [email protected]> trustpub 1024D/567B4BAD created: 2010-12-19 expires: never usage: SC

trust: unknown validity: unknownsub 1024g/EFE31B86 created: 2010-12-19 expires: never usage: E[ unknown] (1). Ronald L Rivest <[email protected]>

Please decide how far you trust this user to correctly verify other users’ keys(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don’t know or won’t say2 = I do NOT trust3 = I trust marginally4 = I trust fully5 = I trust ultimatelym = back to the main menu

Your decision?


• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange


• To ensure an adversary can’t reuse a signature later, addsome random unique values (“nonces”)


ga

gb




• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange

• To ensure authenticity of endpoints: Digital Signatures• To ensure an adversary can’t reuse a signature later, addsome random unique values (“nonces”)


random ra, ga

random rb, gb


RSApubB, SignB(ga, gb, ra, rb)

TLS: Transport Layer Security

• TLS provides an encrypted channel for application data.

• Used for HTTPS: HTTP inside of a TLS session

• Used to be called SSL (Secure Sockets Layer) in the 90s.

SSL 1.0 Terribly insecure; never released.

SSL 2.0 Released 1995; terribly insecure.

SSL 3.0 Released 1996; insecure since 2014.

TLS 1.0 Released 1999; deprecated and will be

removed from major browsers in 2020.

TLS 1.1 Released 2006; deprecated and will be

removed from major browsers in 2020.

TLS 1.2 Released 2008. Ok.

TLS 1.3 Standardized in August 2018 and is being

rolled out now; major change from TLS 1.2.

TLS 1.2 with Diffie-Hellman Key Exchange

Step 1: The client (browser) tells the server what kind of

cryptography it supports.

client hello: client random

[list of cipher suites]

Cipher suites: list of options like:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

This says to use

• elliptic curve Diffie-Hellman for key exchange• RSA digital signatures• 128-bit AES for symmetric encryption• GCM (Galois Counter Mode) AES mode of operation• SHA-256 for hash function


Step 1: The client (browser) tells the server what kind of

cryptography it supports.



Cipher suites: list of options like:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Server cipher suite configuration can be confusing and difficult for

sysadmins. Many insecure options like

TLS_DHE_RSA_WITH_DES_CBC_SHA

or

TLS_NULL_WITH_NULL_NULL

Subtle protocol errors around cipher suite negotiation.


Step 2: The server tells the client which kind of cryptography

it wishes to use.



server hello: server random, [cipher suite]

certificate = public RSA key + CA signatures


Step 3: The server sends over its certificate which contains

the server’s public key and signatures from a certificate

authority.





Certificates and Certificate Authorities in TLS

Website public keys are encoded into certificates.

Certificates signed by CAs.

Browsers come with set of trusted CAs.

To verify a certificate, browsers verify chain of digital

certificates back to trusted root CA.

Certificates typically valid for 3 months to multiple years.

Sample certificate

Who are we trusting?

Who is this cert for?

Who are we trusting?

Who is this cert for?

CSE’s pub key info

Where we should check for revocation

information

Revocation

• Problem: keys get compromised• Attacker with a key can impersonate you and readmessages encrypted to you

• Key expiration helps, but not enough

• CA and PGP PKIs support revocation• “I, Alice, revoke my public key . . . do not use it.”• Signs revocation with her private key• Others can verify Alice’s signature, stop using key

Root CAs on OS X

Which CA can issue a certificate for fbi.gov?

Which CA can issue a certificate for google.com?

CA Hacks and Vulnerabilities

There is a long history of CAs getting hacked or doing the

wrong thing.

• 2011: Comodo and DigiNotar CAs hacked, used to issuefraudulent certificates for Hotmail, Gmail, Skype, Yahoo

Mail, Firefox...

• Fraudulent certificates later used in man-in-the-middleattack against Iran.

• 2013: TurkTrust issued fraudulent certificate for Gmail.• 2014: Indian NIC issue certs for Google and Yahoo!• 2016: WoSign issues cert for GitHub.

Mitigations:

• Certificate pinning.• Hard code certificates for some sites in browser.

• Certificate Transparency.• Public append-only log of certificate issuances to trackfraudulent certs.


Step 3: The server sends over its certificate which contains

the server’s public key and signatures from a certificate

authority.





server kex: p, g, ga, SignRSAkey(p, g, ga)

To protect against man-in-the-middle attacks, the server

uses its public key to sign the Diffie-Hellman key exchange.

TLS also allows client authentication, but this is rare.


Step 4: The server initiates a Diffie-Hellman key exchange.





server kex: p, g, ga, SignRSAkey(p, g, ga)

To protect against man-in-the-middle attacks, the server

uses its public key to sign the Diffie-Hellman key exchange.

TLS also allows client authentication, but this is rare.


Step 5: The client responds with its half of the Diffie-Hellman

key exchange.





server kex: p, g,ga, SignRSAkey(p, g, ga)

client kex: gb

KDF(gab,random) →kmc , kms , ke


client finished: MACkmc (dialog)

server finished: MACkms (dialog)

Encke(request)


Step 6: The client and server derive symmetric encryption

keys from the shared secret using a key derivation function.






client kex: gb





Encke(request)


Step 7: The client and server verify the integrity of the

handshake using the MAC keys they have derived.






client kex: gb





Encke(request)


Step 8: The client and server can now send encrypted

application data (e.g. HTTP) using their secure channel.






client kex: gb





Encke(request)

TLS 1.2 with RSA Key Exchange

TLS versions prior to 1.3 also supported using RSA public key

encryption to share the premaster secret (shared secret

master key).


[supported cipher suites]

server hello: server random, [RSA cipher suite]

certificate = RSA pubkey k2048 + CA signaturesclient key exchange: RSAenck2048(pms)

KDF(pms,random) →kmc , kms , ke


client finished: Authkmc (dialog)

server finished: Authkms (dialog)

Encke(request)




master key).




certificate = RSA pubkey k2048 + CA signatures

client key exchange: RSAenck2048(pms)





Encke(request)




master key).




certificate = RSA pubkey k2048 + CA signaturesclient key exchange: RSAenck2048(pms)





Encke(request)

What if a private key gets stolen or compromised?

If an adversary obtains a server certificate private key:

• With Diffie-Hellman key exchange, the adversary can:• impersonate the server to anyone.

• With RSA key exchange, the adversary can:• impersonate the server to anyone.• decrypt any traffic from now and any point in the past.

""0 t 10 (!WI. 01!()9) S:.tbpocna 10 Tcst!1'y aelb:e, G~ Jury

TO:

DaHas, TX 75204

United States District Court "" ., Eastern District of Virginia

SUBPOENA TO TESTIFY BEFORE THE GR,.-\ND JURY

YOU ARECQMMA.,'lDED 10 appear and testify before !be Uoited States district court at the time, date.;me place shown below to lesify before the court's grand jury. When you arrive, you must remain at the C::Ill" until the judge or II court offioer allows yO\! to leave.

Pltte: UNITED ST A YES DlSTRlCT COURT ~Dl COllrthouseSqulrf Alex8ndriJ. Vir,inI8l2314

II: tnd Time: July lG, lUll

________________ J-____ __

You mUll also brin& with)'O\l the folJowill& docume:1ts. clcctroni~!y l10red lnformu ion. or objecu (bll!!'.K ifr.Ol "?plica.bl,,):

9:30 AM

In .. ddifion to your !,l:"l'SunHI"flpear"nce,you arc direeled to b ring 10 the grano jury the public lind private encryptiun I;c)'5 used by l:.Ivabil.CQn. in any SSl.. (See orl! S<:>ekel L:.I,,<!r) or TLS (Tr:u"pon Secllrlty I...'lyer) session$, inciudln: HTrrS ::I<~iOM with dients usin: the !lIvabil.com web site lind enl"rYflled SMTP ~"Ommun ieation~ (or Imcrnct '.:ommUn iC2{iQn~ u~ing other- protocols) ~lh mail lCrvCr.;;

Any utt:c r in form:Hl on necessary to ~ccompl!$fl tht insu ll2t1on :lncl use of tile ptnltrap device ordered by Jud?;e BIlc;h"nnn 011 June 28, 2013, unubtrusively :o nd wiln minimum ;ntenerenl:"t to the serviee" th2t arc >lctorded persons with respect 10 whom Ihe inst:lllati(ln and use illo take place;

If such information i3 electronically slof'1:d or unable to ~ physically transported to the ;:rand jury, you mtty provide ~ co fly of t be information to the Feder ... l BurtllU of [nv~tig<ltion. Provi$ion of tlds illformalion to tile FBr doc~ nOt excuse your personal appellnlnce.

Julv (I 2013 CL£RJ(

·f'!.c n&me, lId=, email.Md!el-:phonenu.mbecofthcUr.ill:d StIIleS ~lomey,-orllSSistc! United Stu~~y'who requests this s~bpoal;l, tL"t':

". 1'I0~n.)'

JU.Ul1 W. Wi1li" m$l;"ittd Sr",r~ Attonu,.'s SII,hljn: ] [00 J\lm l '~un ,\Venlle ,\ll· .• ~"drh. , Vlq~;r.i~ 1131~ p03} 299·nOO -_ ... - ...... .

.' .. ,., .. i '.'. , ,.4.>:" "',1\ " t :'.",,,~ fll'::~"" 1 , I.t ... , .... r',' ,.f. .•

" " '-". ,.' .':;'" i • . ; ', ':i,'~" '., ; ..... ,(, ... ; '-r:''- ~ .'." ." ;,:' j • .- .~I ~ "., . , .... :" ,,1 1 ,~1 ~ ,""""1;:,,:-, \,\~""H, .. , ,,,,,,.;, "'; <.i:"'~ • .', .. "

.A:·'~ :i.'.'.lJ." \·J:I.;:~(t,' ,1:,1'1-..".,,,,,,'.,,:_,,. i;, -.:" ',~. },; ,,",I;' 'j'::"'. ,'" '.,,:. ', )1' , .. ; ." ,;,,,,,,.; 1\. · · f·c.;~ ... f-'~.··"~ ' · !.~~''- ... "' ..... ~,

' .. , . .... ':,' ".1 .:.\.1. ,, :,'''(;, ~. 1 '.-,' - ' •• : ... '.1 .• ; .... '!:.. ' '. •. -:- ' .' , .", : ~ , . '. ~'., . ' ",.!> , .. ,.,: .".I.,.;r,:. 'J. ;';.1 . ,,': .• f; i~, '\O.);"v~ , :; :_-'-' ,) .... , .

. '.,'. ; ; .,'.('.: •. ,.,;. ~/.J~ i . \"l :, ,;' "'.~"1~·; · .~ ." : . :. ' .. ' " ;, . ~'-" j

;.-" ,: ro',' . : ... " ' ~"~f,~' '~I~·f." : ,~.-;-, .. ; ! , I;.; 1">" l<;; '~",f:'" .. ~: "-'~ . I, \'-1".;' .• ,,:, .. \. "":""~1 .' ;'~~'''' """'"-''' ' ' ~ ,! ". ,. ,' .,j ''' ' '; ''''''' ' 1,,1."" :;, ... ~t .. ,i..-, .',~~. ';;. '1'- ' , . /.", .- ',,:

.: ' .. "". ,, ~~.: ... ,:1',.,"' ... !~; \f_.',,-, ~tl "; ::' 'IW"~' " .. ,;,.~"

. ,; ;: __ L~i '\:.;/;~~'.:~;~~;~~i;~~~:··~~·;ii;<·~:~ ;~).~ '; :);r,; ~'· : ~;:;:,: ~~ '.~,.~J.;:;.~ i ~.;:"'~:~ ;t\;:.!.;.;:-'"g';.~~·;·~/:;'~~ ";l\~~~ !" :;·.~r

.' ' ..: • '" ; ,~. , .,," . , , . ',- ' ," ", " . .-.~ ;' "'''.''''. ;J' .. --":-; ,, '.'<;': :' .. '" - ·t:.· ;,', '. ,;, ".:,,~, ; ... ,,:,-,.._;,;~, .. ",, "': ,: . •... , • • " :-t~" •. , .• ; .. .,. ,. "" ,,""t' ", 1.:' ! '.;. ~:. ;:.' . " \ "i-",' ,_, ." "" ,':, , .::" .", ' r.· '. \:-: . '< , '." ~".':,~;·r!::.". .. ;. (~;' ' : . .....

f :: . '.' '; ,",:" '!,. '.', .,: , .. ~.' . '" r" . :, "; ~.,,~~ ... :. '." . ,J ,., '.-,.' • •

, ; ,,~' ... ",..-' " •... k· . . ' t- .;1\,.1.".",: .(·t · '.-,:'

, .. ~f'" ,' .. . : >;.: ... ~ ',; , . ' ." : ' ...... ,. ::. " ., :.,,-,' : .... :{.~ •. ; -" .. ;,; • • -..-:: ' : ,1 ',,, :. ;::;:: X .. ' _ ." ~'l.. _.

, ... c' ... ; ':';i". }'." ' .' 'l'<', , _,;;'. ~!- " !"o ':r"'.'~\o" ;·.,'·v' .''-10 .. ·0 - ~ . J." " b.~ ' r b·':· :'·",y,",," ;:I~ , ')l.4;'"' . _:~.;; l, . . ' ' , __ ,-":.-•.. ; .,,"::;'''.' ~~";,- :" "' : ,,~,; :';., ;,'.>(,' :,~. 1;,·' ,I,: :"

." c . .... , .. ;'",",) .. ,·"t "': . :'! .'~J ,'" ,:,>:("";u ""n,. ".<, .... lI.;.~:!'~ " , . :' "~,,~,;, ~"- \;) '- ".k', ,, .. i:io-<: .. ,,,,l"'.:' 1 .I'l',~:!.~"" .r; . ' .. ~( ;.; •. '

'}; ', .. ''- .,.",,~"""" ~\.,,_ '."~~:A.\':~;" ~'~ 'f!(.'.<'.'" "., .";~ , .• _~\. ,: -'; '. -, l :'" "~'. I---",'~ ! .).1 .• •. ~ . f' ,J.-I:fo':-<~~ • ' . , ; . , ';' .i!;:J,';, "1 ~ ~."

,' • • • ,..t _,.,1: I .• : • ; ! ·.jOt:", ... ~ ~',"'~" ~ .(.;.~ .. ':I" ! ~"; ""J~ ',", '(:~, ". .. . '~ " .t.~'i-"', : .~', .::: -":~, ' . -... ,.,., .V ,~ •• i'"' i .' <"", .4'1 .•• ,"~ .. ; '..,.:,r.:~ .," .. ' ""}"'~""" ... 7· .;>{,, : (.".,(."". ,.,~."

· ." .. ' v·:-:. '.,-'. ,~, :' ' ,,. ., ,.',\'·'I>"'.t ..... ll ,r .~" ..... , ... 1.<' .~ , .. 1 >'.~, .'-'" \', ·'11 " .... ,-,. ;~,., "~,"' . : t,: i , I ,.;.;, '.~\, .... . . , •. ; .. t,

.~ '- '. ;::.-. ' :,'!.-" .. " ..... , i;,,> .. ',Ii" r'''''' '1'l .\ I ' ...... -. . ~ r. ., ..... ... ~ ;.:"., . . : ';.!'! :. : " , j . : . . ~.".,.:, ~: ;1t.<l:,J'. ~ '., .\' \'. ~ ' ... '; ~ ",',~ I' .. : '! ' t: · 'j', , _~ .. ,;. '''~,;·'sl~)~·,-!''" h:\ '''-: ,.~\/.! · ;,' ·. >,!I>

, ,',. I X .. ~",." .. ;.'~d 1,1-.[-" ,':' :.lr.:.)l, ~t> '" J .. ' ,J;;.:',~", ..... , 'N ........ ; '_"'_' . ~n,' ,~ " . ' •. !.I' .' -..: .~ , " .,.,,:,~ .. ~ ,:.Ii; ">'''-',,".I>"'':',~' . : «>"

"'" '1~' '''-···' , ~:, ' 1';'W/s"'J ~.:-t "'.;",;.; "' ~"-'::~''"'''-'I;.i''; C ," '<$. '" ',.', . " .' .• 0, t';:""XV'~.~ " :'~"",'I : ... ;~, :;.,,: 1<.';~I)t-(.':, h\<.': ••

..... :, ,;.',"1';<1" 1.;'.\, ri.>' ;""'1" .•. "'1 ,.; ...... '''~·'1.:'r! ,', ,.,., ., :".~ ,', •. ~.~,." ,'.~ :;;. ';; , ' .. "".';,,, ~.-'~",;,o,'~J;: , ,,-,",, · .... In·' ."'·, .'; .•. ,.

• ' "';:""" :1 ;.". •. >1\,",,'''''.> ~)~""h""·X •. -1,. , \, ~'.f .. \ ., : :., ,~: , :, 1, '> ;t .~, ';;;"; =,' , n·, ,. :'>0:;' :l~,h' ~'" rf'.';·'<'!II).'" t=':'(',1~' '.J~j ,,; .. ':" , '. ' . ' ,.t.~.! ..... ,, : ~ "I ~." i ... .,..~'.~·l1-"",," ·'~~'·," " I ,;;0: "" •. , t ·,,· , ;, .~< 0 •. "0 T; '~~'.: " "" .. , .<-1';';" . '~. '; ' ,";:":' .~ ""~ ' ~';'~" , ~ '.'

; ," .: '.\ , "I •. ;' .. I.'oj.:.,,;, .. ,,", l~ q' .,,; I; J-! \. ; , • (.~. ,"c,,',':'" .:' < :~« , ) ;~ .• ,'~ \',.,... \~, --,,·,,··t · .;~":"";,,

' . ':',"; 1.';-

, .·f,.':·.' .. , .• ~ ,"( '1' .~'.-~;: '.t: ·~.r ."\1.~ :1 ',', . '.' .... < ' .• " . , .. ,~,- '; ""'.-:,; '-" , ~ • .,,,. < .. ' ,. " '- \"0( ;.' ~ .. • ••• • -.-.

~. " ':':""''''''' .''Y~' ' ' .:",~ .. ,~,-< .... 1.;_ " .• ' , .. ,., •. " ... ..> .,.. .... :., . .... "h~ , ·;,f ·i.' .'"..~ .. ,., ... ~"' .... ~" .. ;''''..".,'¥ •. ,,' ._ .' . . '!.'~.- . : ·"','l·."'· .,.~n'~.~,"'·,'t:~,: " ~11 s:;~,1~:r: ' . ';"~'J \'-;!'! ,bV:,~· I>

,~., ' .• ~ ' .' "",~,\,, ':, '.\' ,," ,,::.,,.,.1," ','.' ', ~'~.'I<"r. ! :., ..... : ·~<.';..M · ". ',: "·"",,"t ':1". ·'·,., Vo.! ~\';;>'<:'·-;;·I.~(...: ·;.'"j..·· · n ,',,: .'~, " ,:,:. ,;,.~ .", ''''.v.,' ~·s;. i<~~ ;~_ :·!,.,)' .. _ , !'I,~,·~ ,;.,.\. ,,, ,~; ,', · .' .:'-':', : . ~.: 'I) ; ~.; .;: -. ' : ,'I, ,:;_ .,j'~,-, 1''::1.) oIl) :.;; ~.", ", ;:.,~ ., .. ' • , .. •• :.: ' ., ,,:'" :, ~:.'" '. , 'I.;". , ~ "~l"."\':"":, .' ,-;-. ". :,' . , :,,,',, ',-.. " ' : '., \, .. ':, .• .• ' )' '" ,:,:'".,;' , . " '~r:; " .... ·. ·.~ .. ""A',""; , .. \ .... " ' .~;.

, .;' ,., ;, I.; ,," "~:.'''~·1, ;;-" '.~) J' :': :01> H! .... .- ; "-~' .• :: ., .. "":, .• '->\ "' ; f'~I'·'·'."I!" ;"·~';:'~i.·!.·",, , .. ,,:{. ~';"

.. ' , .f·' _··\' .v " '~''''',f,·''',.~,:,. ,'·I.;''; <' ·''';':' , ·." , .-.!.-n ''' ., :", ... ",:", '-,~ ·,, -',l·.'-'<'{J·,

:.0::;;" '.;;

. ,'.-.! .'., 'I:'~ "' ''''r "";-""'''' ' .'';' . .,;~.~,, " .' N' , .. ,. ""' , ~ ~', :' i,';,~ I; " ,-: '''';' ~'."-" l~ I d.1 ),o'!~; ';.'" . . .... , .•• ".,_~ ..... , • :'," :'.-':." ,_.

~-"" .). .. ·"c':,; '.' " .... , r ~.:.;;~ •.. ~. -'If ",.'.,:", ;",'{,:-.'1 •• '.' ~, .. ; .• , '" . ~.

· '.-- _ ... ." ·;·'~'\;"; r"';,~,:'I-(),-w,"o1, ' $· .. ~:n.~ '::"·,"'" ;'.::,";". t .1 '. : ',"' ',.: '" I.':' ,t: ::':"i "~"':'''''' '' t .. (. V.,;: .... ,~ ,\,. l.-;\f'-'.-r; •. ,,;.,; Y, .... ~ : _.

" " .: ,:-;\: - . "~:_:'" -,' , ' . '~ " ',',t ..... ,' :.' ';0 r.'';' .1,,, .. .. , .' •. : ;,... .. ~'>Y'V''''' .! ~":,;;. : ... ;. I~,~·;~.,·::;~,.y,',,": .. ~ i ."" 1'.# ."":"": ·.i·· .. ' ~'-i ~~'-

'." : i:.; ,f'-{ "<i ~. ",'" n,:·~ .'~ ':·::t.1'~I· '. ,.:' .~., 0:" ::;.~ . .. " • ~~'" -, .. .. \" ••• ' :~ " '" -y. i '.:':> ""; ". ; ": '.,:; ,. 1 .... . ··,'1 ... ·',·

., ',' .. _' "',.,; ",' '~.' ~., '.~ .' ~I'''_'.:!'' v. ', .>.t •. ~."" :,. ,,(.~"., ::. '_ ,', '_.' '. ~. , I ~. " ",!,·, . ;' 'Nor,', .; (1.. ·" 'h.O",,~, li", ... , I .I.' ,;,0 :fJ

<~ ~ " .' . : ·~ ":ii't.~ .. · ... l,~' , ,~;"j)'( ''' . ~ k·,,,.,.:I, 11!! ~ .. ,! •• ,~ ; .~!; "1 " ~~,~ . :,. •. ..,: r. ,~: :'.: ; ; ,.·::..l' .... <·,~:;.~:;lI'"'~HX:J: ... f.f.' ....... '-l.U" '10" ,<' '. ~, r _!."1_ ":'\J',V; !,:i~'.~ :J.I.'I:.o'!.~( 'll • " y.,;(J'}.~ ;:~ .lf;<'-i"j"·L, /.; , .: :.:

.~ , :; :':-t , N~'.'" U;':,.:i';";'"ri!l:,t.:K. :....Jo. ,\'7<_~" ,~.H>';"in' ;,,,.,,;1(> ,;; , .. ; .. "\ .• ~,, "h ·_ ,·),'.'1I!.t !I" , ,,,,,,,' '' ''''~ ~/, ,.. .... !";¥-nt)) :_ ~>" "¥·'.~"'.;H,,"~ . ~ ·.;'"I.~i. V; i.'I;~·~! .... ,~.W'Q" \ ' 't",,~,I;,>"I." ~""""'~>J.. ~,;~<),,"W')"rr: ,,' , ' ~)~ ~' ...... ;''';1'. '.:;' .II ;:"': :M '.""'':<'jJ! >~Il~.~cr:, ~'.d";', ;>)0:.:;.,

...,~ , " .'.~~~:·'~·:'\:.Ic',. , oJ .' ,\. ) I ~X't_,1\"" t'"',"'.,' .• , .... -,~, •• :,':t. ~ Y,. :; .,";' ;.). ~ .' . .., "'·."I~,,~, '.';'I.", '1.;~-( : .' ,"'~l, .~~ 0:11,1 ,'~.~ .• , :.~;.

.: "":~I • "'.I ,': '_ ' .•.. : ... , .,~1tT-;;~t,: , :.:L' .~ i' ,-,( , '"' :! ·.~'I ~. : r:t.· ... ,':· 'C::. {,~,. . ••. ::" r~' ,.,::,~ I ,,\~"' .• , ;>1_ .... ,' .... ,\ . ,"",-: •. :>':' .... ,,", ~"' , • ',,' ;.,. ~ ". 'r",,, .. :'1 ;"tii ~>Jo,~,~:,~:~):·.; ~''''·I:.c:'l':~'' l'':t{t''''''''·:f'(~' ';"r '~i..- ,,:~"'.,~:::' <1_ l'<tI'h« ~ :>r."1 !"II ~~ :'C);"I!,_" : .,j "~''l:'''~,j'~ ;'f:~: ',J;; .~ ;.;~ ... '. "" !~.:~":: ''''(.~~J),'C, ."tl. ' '''.'¥J ~J ,~'::- '~";''->0:'.' ":.",(':'~T:~" ,«; ~,; .f . :.~:, ' . , ; '.'~·);. ·~~r, '" ,,..,,, :1ti '''~':f ! .' :>'I.,,:J ~.r.:.7. :, t :r''':, ,:;,t :if, I ' '<:;."'. ,. '_'." [ ;: "~ I" " f-<! ;~11 ;0, .. -;,,:1" 0:"""; "'<:"" .• ~' ;;. ,~! 1'" "

'. ~,:", '", ;0 , ... :<>1' " ,~ ... , 1,!,J.';-;'~' "" ~.; -,,~ , ";,,,~y~ :~'~1 " '::"~"_

' _'~ . ~~:;, .::';! '.:. :··.~·,~,!".:,l : ". k:.'t}"<'J"...:/o":<:.' .• VI-;'''')';-'' """ : /:;,: , .. ~"..:,.~.;>/-, .. :, •. ,W;,";,'_~,(f",-,{((,~ .• , ., :,' . . _' ., " " "'~~\ r :_.~., 1";" : .t,,';.t~'" \<~ >. . I-;_~I ',":., .';

, ' .- , :.~ , '''~ ;n' [;.~. ,,:/ Yo, '~"/ '~'J' ~:".l<,';!' .... " k' : ."'~ . ,<,-",,, ~" '\ '\ ,11'; :. "" , .c,:, ·l:.f;'·· ;. ~ .' .. ,,:.,s.; " .) ''';~'' ' ... '''1~II';'·:Il; ~':~·': , ' ~" '.~' ;.'- ~\ •• I.~·N' .,,':;;,.'.;.' ' :r.-:::~,f:,·Xii':'M!~·"'::'~""'~'h~ ~J"-;A\" I,.~, •• \ ' :" .:oi \o.' 1:\ :-'"(~''''~.:I,~ :'''' '-n·' .:.,.!,'"f." 111 •. .-~ .~!,i.l · :A'Y. ::--': :'

.) ."" """';"',i " "'c'" 'i .~.'; I, .. ~~· .... ' ,0:, ' . 'tN ;, ,!,< .'~i'''"".' ~~,: ,.:. ' ~".'" _,,;~ " ~. ~"""'f~":-" ~) ,~· .. ·""r , ',,, ,I",.,' ~ ... ",. \', "

" " • " I ' t · , .'''1>'.' , ·11,;.~ ., ..... ,,: .• 1 '.1-1' ~\-'~~~~',;::.' .''''' .' ...... ' .. , .~_':, 'f·_" i ....... ·;., : .. ..:.,:-._%,: , ' ,';'\1" t\o''I''I''~; ',1. ;.J,,":I •... , - ,.' .. ·~"~I,Y.,,,,,,-,,,,,"~:tJ"-, , .1~'v''11.-l '·'"~'''''''''''''''·

, .•.. H;l:;~r', ';< ' N".' W·"~ .. , 'J""""'~:"":;t'~"r>:._,,,>.r"; ;

'.' .. ", ," ..... ' .,."" ,~ ,¥o''''; ' <, .... / ,-~,r. · .• I':,o.,) .) IJ •• , .' 1<' ~:' •• ·'IM";·I '-" .. _ ~ ,.'1 " ~\··.I\'h.V:::·"'''''' '~ ,: .• • , l·~;:~",.,·,1}, flI:I.' ...... )"'.'1 'fflr ';" ~w.,,,=,, .. : .

::.

.... r . • -, ,k"':;'-,.I.;;.-n.:I.;1 I . \>t.."',,., ~ ,'.,11''''.''1 ,".>l:':\"'T,,, N V""; '. ,

.-::, .- .: ';' ··"l-:'''.'fI ,.~. ,1 :::';,(h;o,.' r.u .. ..-,I J.;;,o~"1 C(" '} . :(:;.;" •

. . ~" '-(!'·'-·h';::'C""'.'l;ll~': .. • •• n ).-O<~' ;:'··~.':'';'''''J '''U:'''' ,.1:C r'",: ., '",: .. \",.~, ",.'<':': ." ':' .i'I::~'-:!h:"': l ·i'¥t~ ~~".v,;£.i'l,,· .. ·.>"'I':I:' ,-' "'.,~ " ~",,-"'.,;~ :v,.~, 'I,LJI ': O!. ;""",., ." ~""I'>i:""~\."9J '1"";":~" '~I~rt,f.)~ , ,." ~ , {(. "ii ~>.u I,1,:I<::n ..... , »r·'I';-,\~v?o!r..~;~""" ~ '

, •.. : ,(,(,.,.1';:".\,,: "!x.,?,"';li'lvlf"':"';lJl!;"'_·'\l"~-'I': W.';'O,· ·.>' ,,~

;. ' ';,; .. ,:, :1', _,,,: ~' ; h':"."'~::;"'::""" ; '·."::;..' iltl1 : ,tc· \ : 'I'N'::,': '.-:,.'.'

I; '~.~';". , ..... !~J"I :-( N ~,! ... :~<,,-,,;.y~ -" t o"';," .JH1'iO'; ' >:,!i"",I<';, ,1 ,-.~ : · .... iv" · "' _/W"" / , '.>:;, ';-''' :.:''''_''~' ' ; 'j:J. , ."'" ......

u;; (". , I"" .,;, tI·, I ,;' ft ' .': ' ~." , ,}I\ '· '-"'1':" :" , ;-, ·.<Il~>.,r;.!· ~ :';:'",-, ,:,'':-';\ ">r . '.~-h·;·;, .:), ''',<'': , '. ; ,h.J.!f.' "(r.,;,:.".].' ;

I .'",n~, "';':."» mf,,'!'J I."I,,",''''-.:.,,';:~ iX .. ',.':" ,.:;.. ·'t.'.l.·:·i~ ','·"(' r..". , , ..... ~;. "~:"'!' M i , .:-.: ,I~,,"l,~ ,:1<.', :-:.:"'; : ... ",-, \": •. "'~;"'!. ; ; .

; ;'- ; ' , ~'.\.~ ," ' 1-.; ;' .. :(): .1:.-;\';"1; ,;· ...... r-r::,J;;t.+ . . ,i:.,.~(j'J':<;I, "

.; ,) ··,_'i~,'.f .. \",:,>.,(' ;;'c:i',·.""~!.,:·"'. ";_' <; : '>'''~ '-:, >, .• .. '1 .'\.' ~. :~I.;·" ·:'; "'·;r .. '.'~'v:;M';"'~?~·:, ." \ " ~'

• " " . , . _"1"'_ '( ....... ..,.-.. ! 1';-, .. ··, :;o,::;·';,~.\·N'-'.r:'" f"·,,.:, '.' '} . :";- .. ' ,. "'.!' ,1 ,,-.~~ I .,~:, ' I-v~",.~, r .. ( ... ~ r;:;:,~,"~ 1;.'.1 , ," ;

' .:J ' ... , .• ~.~,~.,. A.1"' . .-.. , .. ~ ... .,. ... ·,:": • .'i:·,, .. " ·,,>,·.

.... :. "

. _ ;: ... ,.:: .... ,' i·i·'·;':.).·~":\,"1:;:""" "'·;"'·"'·· ''''''''' ~ ''~ ,~ "~" .. 'c'''''':( ~ ... . ,.,,,~ ' WI.n<':''>:1'<)o ~;'l<>:1m',"-'¥l.~, ' .~. ,,' ',.~.' ;~' .~1" · "-; .... "'·,n''-·:'1 ?>~.'~:;'~·':'-':·:I:l~" !'-r.,,~,,\,

"'( ,~-:_, ... ,'d X'1.';'. - , :':; ;~~;~:' "'" ·l'a":r-if.' ;-'.'H. t~f"'~~~i ~ "';. 0 , .'.: '; "l~""'. ;,~ :" \,·,.r·' .1 '.' '~.;':'.,"";':. , r.:"~.'~"l-:'''' r,.F.:iV, ~n::~':''> ;' :,::;"," .-, ~ .. , ,"" ,(' "!f .,t .. r:,,·:::. i: !r! :!;~:';:;' :'" \l1i l(:3<h .<~u.;:'·W:lw " , :,.;- ._ ,~," ...... , , .. , ~"!~ •• '~';', , -<~T, ~ ~ .., .... ;:.;,:.., , _ r· , ':;~' .• I,"·""· ..~ ,. " • .'.' •• " ,Jo!,' ,-. ... ~."".~.<")<-"' .•. ~'''; ... (") I.~ ,,·,,;. .,.' ~?". , . . '; .~; ... " .. ~., "( '.1 ,' , .• : ." .,,,; • . :l ,~~v,,_!.;:,l1',~ .... Y.',,;~. , '.", • ~!';"'.i"i:4.'h' .. ~i, ,,;' ... r".:'. ;Jt ":;',,~,. " .," .. ~ ... . ;0:; ,·" •• '" .:'.-1,

... . ~" . ; .. ( ';'.,,<, .'~:""''-'~'~'.:' :,"'·¥ 'As",.C ;\:<" .;",,;·, . J "'(~i;1.'-;; i'('~ !,.. :."''" 1'-'':~ .... ·r', ,I • • ;'-''' ",;': 'll'"','.11".!;lt"":~ ~·".";;"-··i .< .. '"r; .. 10 . , .. / :' t.'iH:.l.:!. "1'; , ' .. ;

'''.~ . ,,~, .. ' .• ;',," ... , ,,~,:.~,,~;'.l ': ":('.' ~ , : , •. ~(~.:->~~.-,. 0-,.-," __

'!',-".' .~ , .'.\I>' .. , . ." '.-"l"/"',' ...... ', .. ,. i->«I,",j' ".r."" , .. ,,,' .. .• ~,;. : , ,-r.:.;; ~ '~I'-':·k',.,,>.(~,,,,,;_,, 'i', ~ .""(.-:: .. >1 ";-; '' ' '' .

. ;, .. i " • ,-,.,." '" " '::-. " .. "'so ) .,j, : ... :,,,,, , .• ~~ ,,; . ..,~ . i: " t'f,l~. ~.,.. •

"i' -.. , ," .;' .. : :N,\ ; '-': .~"-1' J'o1:~ ' J,''':''''''':,(/' •. ~ . ;);.~.,: " .'''' (J;"> -" '" I "

,;', .~; '.~--:~;:. :: .. .t;~ ~,~~~~';4:~ > ;~::t;:;~:::~~;~ ~~':i;,;~:~~~""" , .... ' " ' . . ;-:. ,_./: .; .• ·"9!.··~' I:i""""."t: l :" ., ~ ",-: .r·' ,,- ;',:

I. """. ,~:,,,~·.·:"-:''''· ';\':'; l ·'''! ?.n - .'._"".V!!,·· >.~;." "'c', ,, :, ". __ :·1. ':'.' ;::1. :r . '. " ~, ,_, , , ,; ',;! •. t.',,'.·,,' '.' ~ ~', ':.:

August 2013

https://xkcd.com/538/

“Actual actual reality: nobody cares about his secrets. Also, I would

be hard-pressed to find that wrench for $5.”

TLS v. 1.2 and below have had a lot of vulnerabilities

• Early versions of SSL developed before cryptographicprotocol design was fully understood.

• Later protocol versions retained insecure options forbackwards compatibility.

TLS 1.3 is being deployed now

Developed over several years as a collaboration between

cryptographers from industry and academia.

Standardized August 2018 by IETF.

Major differences from TLS 1.2 and below:

• RSA key exchange removed.• Protects against passive decryption attacks.

• Only secure Diffie-Hellman parameters allowed.• Protects against attacks exploiting bad choices ofparameters.

• Handshake encrypted immediately after key exchange.• Limits the amount of metadata visible to a passiveeavesdropper.

• Protocol downgrade protection.• Protects against protocol being downgraded to priorinsecure versions.

TLS 1.3 deployment difficulties

TLS 1.3 deployment is slower than it should be.

Major reasons:

• HTTPS proxies extremely common in industry.• Many of them rely on RSA key exchange to makepassive decryption and traffic analysis easier.

• Removing RSA key exchange breaks all these boxes.• Man-in-the-middle hardware is also quite common.• Bad implementations have hard-coded values like TLSversions and there is no way to update them.

The “crypto wars” and the historical development of TLS.

International Traffic in Arms Regulations

April 1, 1992 version

Category XIII--Auxiliary Military Equipment ...

(b) Information Security Systems and equipment, cryptographic devices,software, and components specifically designed or modified therefore,including:

(1) Cryptographic (including key management) systems, equipment,assemblies, modules, integrated circuits, components or software with thecapability of maintaining secrecy or confidentiality of information orinformation systems, except cryptographic equipment and software asfollows:

(i) Restricted to decryption functions specifically designed to allow theexecution of copy protected software, provided the decryption functionsare not user-accessible.

(ii) Specially designed, developed or modified for use in machines forbanking or money transactions, and restricted to use only in suchtransactions. Machines for banking or money transactions include automaticteller machines, self-service statement printers, point of sale terminalsor equipment for the encryption of interbanking transactions.

...

Timeline of US cryptography export control

• Pre-1994: Encryption software requires individualexport license as a munition.

• 1994: US State Department amends ITAR regulations toallow export of approved software to approved

countries without individual licenses. 40-bit symmetric

cryptography was understood to be approved under

this scheme.

• 1995: Netscape develops initial SSL protocol. Includesweakened “export” cipher suites.

• 1996: Bernstein v. United States; California judge rulesITAR regulations are unconstitutional because “code is

speech”

• 1996: Cryptography regulation moved to Department ofCommerce.

• 1999: TLS 1.0 standardized. Includes weakened “export”cipher suites.

• 2000: Department of Commerce loosens regulations onmass-market and open source software.

Commerce Control List: Category 5 - Info. Security

(May 23, 2019 version)

a.1.a. A symmetric algorithm employing a key lengthin excess of 56-bits; not including parity bits; or

a.1.b. An asymmetric algorithm where the security of thealgorithm is based on any of the following:

a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA);

a.1.b.2. Computation of discrete logarithms in a multiplicativegroup of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or

a.1.b.3. Discrete logarithms in a group other than mentionedin 5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellmanover an elliptic curve);

...

a. Designed or modified to perform ?cryptanalytic functions.?

Commerce Control List: Category 5 - Info. Security

(May 23, 2019 version)

2.c. An ‘‘asymmetric algorithm’’ where thesecurity of the algorithm is based on any of thefollowing:

2.c.1. Shortest vector or closest vectorproblems associated with lattices (e.g.,NewHope, Frodo, NTRUEncrypt, Kyber,Titanium);

2.c.2. Finding isogenies betweenSupersingular elliptic curves (e.g.,Supersingular Isogeny Key Encapsulation); or

2.c.3. Decoding random codes (e.g.,McEliece, Niederreiter).

Technical Note: An algorithm described byTechnical Note 2.c. may be referred to as beingpost-quantum, quantum-safe or quantum-resistant.

US Politicians on Cryptography

“The government must be wary of suffocating [the

encryption software] industry with regulation in the new

digital age, but we must be able to strike a balance between

the legitimate concerns of the law enforcement community

and the needs of the marketplace."— U.S. Vice President Al

Gore, September 1997

“Because, if, in fact, you can’t crack that [encryption] at all,

government can’t get in, then everybody is walking around

with a Swiss bank account in their pocket – right? So there

has to be some concession to the need to be able to get into

that information somehow.” — President Obama, March

2016

“To think that Apple won’t allow us to get into her cellphone?

Who do they think they are?” — US Presidential Candidate

Trump, 2016

Deliberately weakened cryptography in TLS

• SSLv2, SSLv3, and TLS 1.0 included options forweakened cryptography to comply with US export

control in the 90s.

• Browsers outside the US were supposed to requestweakened cryptography, and those in the US were

allowed to request normal strength cryptography.

• Browsers were updated long ago to never request theseweakened options once US regulations changed.

• Even though the political situation changed, manyservers never removed these options.

• 2015–2016: A series of academic, mostly impracticalattacks (FREAK, Logjam, DROWN) show that even

current browsers at the time could be vulnerable.

cse127: introductionto security

Documents