![Page 1: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/1.jpg)
OverviewofTLSv1.3What’snew,what’sremovedand
what’schanged?
![Page 2: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/2.jpg)
AboutMe
• AndyBrodie– WorldpayPrincipalDesignEngineer.
– BasedinCambridge,UK.– [email protected]
• Neitheracryptographernoramathematician!– Thismeansnomathsinthispresentation.
![Page 3: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/3.jpg)
Agenda
• History&Background.
• What’sBeenRemoved.
• What’sNew&Changed.– CipherSuites.
– HandshakeChanges.
– Hashed-KeyDerivationFunction.
– SessionResumption.
• Summary.
3
![Page 4: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/4.jpg)
HISTORY&BACKGROUNDTheGoalsandBasicsofTLS
4
![Page 5: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/5.jpg)
HowSSLbecameTLS
5
When Who What Comments
1994 Netscape SSL1.0designed. Neverpublishedassecurityflawswerefoundinternally.
1995 Netscape SSLv2.0published. Flawsfoundprettyquickly,whichledto…
1996 Netscape SSLv3.0published. SSLbecomesubiquitous.
1999 IETF TLSv1.0published(SSLv3.1) Incrementalfixes,politicalnamechangeandIETFownership.
2006 IETF TLSv1.1published(SSLv3.2) Incrementalfixesandcapabilities.
2008 IETF TLSv1.2published(SSLv3.3) Whatweshouldallbeusing!
2014 IETF TLSv1.3draft1(SSLv3.4)
2018 IETF TLSv1.3draft23 ExpiresJuly15
![Page 6: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/6.jpg)
Stoptoconsidertheawesomeness!
AClientandServercanhaveasecureconversationoveraninsecuremediumhavingnevermetbefore.
![Page 7: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/7.jpg)
Whatisasecureconversation?
• Privacy– Conversationmustbeencrypted.– Preventeavesdroppingattacks.
• Integrity– Client&Servermustbeabletodetectmessagetampering.– PreventManInTheMiddle(MITM)attacks.
• Authentication– Clientneedstotrustthey’retalkingtotheintendedserver.– Preventimpersonationattacks.
![Page 8: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/8.jpg)
TLSachievesthisusingvarioustechniques…
• Privacy– Symmetrickeyencryptionforapplicationdata.– TypicallyAdvancedEncryptionStandard(AES).
• Integrity– AuthenticatedEncryptionwithAdditionalData(AEAD).– UsuallyAES-GCM(Galois/CounterMode)ciphermode.
• Authentication– X509certificatessignedbyamutuallytrustedthirdparty.– Typicallyserverauthenticatedonly.
![Page 9: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/9.jpg)
FlowofmessagesinaTLSconversation
9
Handshake
Alert
OpenSocket
CloseSocket
ApplicationData
![Page 10: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/10.jpg)
FlowofmessagesinaTLSconversation
• Handshake– Agreeaciphersuite.– Agreeamastersecret.– Authenticationusingcertificate(s).
• ApplicationData– Symmetrickeyencryption.– AEADciphermodes.– TypicallyHTTP.
• Alerts– Gracefulclosure,or– Problemdetected.
10
Handshake
Alert
OpenSocket
CloseSocket
ApplicationData
![Page 11: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/11.jpg)
TLSV1.3https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html
![Page 12: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/12.jpg)
KeyGoalsofTLSv1.3
• KeyGoalsofTLSv1.3:– Cleanup-Removeunsafeorunusedfeatures.
– Security-Improvesecurityw/moderntechniques.
– Privacy-Encryptmoreoftheprotocol.
– Performance–1-RTTand0-RTThandshakes.
– Continuity–Backwardscompatibility.
12
![Page 13: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/13.jpg)
WHAT’SREMOVEDINTLSV1.3?
13
![Page 14: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/14.jpg)
What’sremovedinTLSv1.3
• KeyExchange– RSA
• Encryptionalgorithms:– RC4,3DES,Camellia.
• CryptographicHashalgorithms:– MD5,SHA-1.
• CipherModes:– AES-CBC.
• Otherfeatures:– TLSCompression&SessionRenegotiation.– DSASignatures(ECDSA≥224bit).– ChangeCipherSpecmessagetype&“Export”strengthciphers.– Arbitrary/Custom(EC)DHEgroupsandcurves.
14
![Page 15: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/15.jpg)
Thishasmitigatedquiteafewattacks…
15
RC4• Roos’s Bias 1995 • Fluhrer, Martin & Shamir 2001 • Klein 2005 • Combinatorial Problem 2001 • Royal Holloway 2013 • Bar-mitzvah 2015 • NOMORE 2015
MD5&SHA1• SLOTH 2016 • SHAttered 2017
AES-CBC• Vaudenay 2002 • Boneh/Brumley 2003 • BEAST 2011 • Lucky13 2013 • POODLE 2014 • Lucky Microseconds 2015RSA-PKCS#1v1.5Encryption
• Bleichenbacher 1998 • Jager 2015 • DROWN 2016 Compression
• CRIME 2012Renegotiation
• Marsh Ray Attack 2009 • Renegotiation DoS 2011 • Triple Handshake 2014
3DES• Sweet32
![Page 16: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/16.jpg)
WHAT’SNEWANDCHANGED?
16
![Page 17: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/17.jpg)
What’sNewandChanged?
• CipherSuites.
• Handshake.
• Hashed-KeyDerivationFunction(HKDF).
• KeySchedule.
• Sessions.
17
![Page 18: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/18.jpg)
CIPHERSUITES
![Page 19: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/19.jpg)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Protocol
KeyExchange
AEADCipherMode
PRFHashAlgorithm
Authentication
TLSv1.2provides37CipherSuites
• TLS1.2specifies37ciphersuites.– Addpreviousversionsin:319ciphersuites.
![Page 20: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/20.jpg)
TLS1.3CipherSuites
• TLSv1.3supports5ciphersuites.– TLS_AES_128_GCM_SHA256– TLS_AES_256_GCM_SHA384– TLS_CHACHA20_POLY1305_SHA256– TLS_AES_128_CCM_SHA256– TLS_AES_128_CCM_8_SHA256
20
TLS_AES_128_GCM_SHA256
AEADCipherMode
HKDFHashAlgorithm
Protocol
![Page 21: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/21.jpg)
Whathappenstokeyexchangeandauthenticationthen?
• KeyExchangealgorithms:– DHE&ECDHE
• Only5ECDHEcurvegroupssupported• Only5DHEfinitefieldgroupssupported
– Pre-SharedKey(PSK)– PSKwith(EC)DHE
• DigitalSignature(Authentication)algorithms:– RSA(PKCS#1variants)– ECDSA/EdDSA
21
![Page 22: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/22.jpg)
HANDSHAKECHANGES
![Page 23: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/23.jpg)
TLSHandshake
• Thehandshakehasthreegoals:– Agreeaciphersuite.
– Agreeamastersecret.
– EstablishtrustbetweenClient&Server.
• Optimiseforthemostcommonusecases.– Everyone*wantsasecureconversation.
– Sameciphersuitesusedacrosswebsitesrepeatedly.
– Clientsconnecttothesamesitesrepeatedly.
23*ok,almosteveryone!
![Page 24: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/24.jpg)
TLS1.2Handshake
![Page 25: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/25.jpg)
ThreeStagesofaTLS1.3Handshake
25
KeyExchange
ServerParameters
Authentication
![Page 26: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/26.jpg)
Clientnowmakesassumptionsaboutserversupport.
• Clientsends:– CipherSuiteoptions.– Listofsupportedgroups/curves.– (EC)DHEKeyShare(s).
• Serversends:– Ciphersuiteselection.– (EC)DHEKeyShare
• ClientandServernowshareakey.
26
![Page 27: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/27.jpg)
Therestofthehandshakeisencrypted.
• Serversends:– EncryptedExtensions
• ServerName
• MessageLength
• …andoptionallymanymore
– CertificateRequest• Supportedsignaturealgorithms.
27
![Page 28: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/28.jpg)
Clientnowmakesassumptionsaboutserversupport.
• Serversends:– Certificate.– Proofofprivatekeypossession.– Finished.– ApplicationData
• Clientresponds:– Certificate.– Proofofprivatekeypossession.– Finished.
28
![Page 29: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/29.jpg)
EfficiencyGains
29
![Page 30: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/30.jpg)
GENERATINGKEYSUSINGHKDF
30
![Page 31: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/31.jpg)
HKDF(RFC5869) HMAC-basedKeyDerivation
Function
• TLS<=v1.2definesPRFalgorithm.
• TLSv1.3replacesthiswithHKDF.– HKDFencapsulateshowTLSusesHMAC.– Re-usedinotherprotocols.– Separatecryptographicanalysisalreadydone.
• Provides2functions:– Extract-createapseudo-randomkeyfrominputs.– Expand-createmorekeysfromtheextractoutput.
• HMACisintegraltoHKDF.– HMACrequirestheCryptographicHashalgorithmspecifiedinthecipher
suite(SHA256orSHA384).
31
![Page 32: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/32.jpg)
HowthePRFisimplemented
32
KeyMaterial
HMAC(SHA-256)label+seed
PRF(secret,label,seed)
P_HASH(secret,label+seed)
![Page 33: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/33.jpg)
TLS<=v1.2CreatingKeyMaterialfromamastersecret
Pre-masterSecret MasterSecret KeyMaterial
ServerWriteKey
ClientWriteKey
ClientWriteIV
ServerWriteIV
ServerMACKey
ClientMACKey
48bytes>=46bytes ∞
PRF
PRF
![Page 34: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/34.jpg)
TLSv1.3KeyScheduleGeneration
34
ClientEarlyTrafficSecretBinderKey
HandshakeSecret
ClientTrafficHandshakeSecret
ServerTrafficHandshakeSecret
(EC)DHE
ClientApplicationTrafficSecret0
DeriveSecret
PSK EarlySecret
0
EarlyExporterMasterSecret
MasterSecret
DeriveSecret
0
ServerAppTrafficSecret0
ExporterMasterSecret
ResumptionMasterSecret
ClientApplicationTrafficSecretN
ServerAppTrafficSecretN
Derive-Secret
HKDF-Expand-Label
HKDF-Extract
Derive-SecretFixed
PSKTicketNNonceN
![Page 35: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/35.jpg)
PRE-SHAREDKEYSANDSESSIONSWhat’sthedifference?
35
![Page 36: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/36.jpg)
Whydoweneedsessions?
• Fullhandshakesareexpensive.– Keygeneration.
– Server(&Client)Authentication.
• ManyHTTPclientsneedit.– Downloadwebpageresources(JS,CSS,images).
– Dynamicwebpages(XHR).
– Maynotbefeasibletokeepconnectionopen.
36
![Page 37: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/37.jpg)
HowdoweestablishaPSK?
• Out-of-band– AddedtoTLSin2006viaRFC4279.
• DuringHandshake– Clientannouncesitsupportssessionresumption.– ServerprovidesaPSKidentitiesduringhandshake.
• Afterhandshake,Serversends“NewSessionTicket”– ContainsPSKidentity,nonceandmaxage.– ThePSKisderivedfrommastersecret.– Servercansendmultipletickets.
37
![Page 38: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/38.jpg)
So,TLSv1.3supportsPSK-basedsessionresumption
38
becomes…
![Page 39: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/39.jpg)
WhataboutZeroRoundTripTime(0-RTT)?
• PSKmeansthekeyisknowntobothsides.– DoesthismeanClientcansenddataimmediately?
– Canwehaveazeroroundtriptimehandshake?
39
Yes,wecan!• But…
– Noforwardsecrecyforthe“earlydata”sentbyclient.
– Noguaranteesofnon-replay.
![Page 40: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/40.jpg)
So,TLSv1.3supportsPSK-basedsessionresumption
40
becomes…
![Page 41: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/41.jpg)
BACKWARDSCOMPATIBILITYExtensions…Extensionseverywhere!
41
![Page 42: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/42.jpg)
BackwardsCompatibility
• Backwardscompatibilityisimportant– TLSv1.3clientsneedtotalktoTLSv1.2servers.– TLSv1.2clientsneedtotalktoTLSv1.3servers.
• StructureofHellomessagesismaintained.– 12extensionsdefinedintheRFC.– 9extensionsdefinedinotherRFCs.
• E.g.serverkeyexchangemessagereplacedwithkey_shareextension.
42
![Page 43: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/43.jpg)
Alltheextensions
43
Extension TLS1.3
server_name[RFC6066] CH,EE
max_fragment_length[RFC6066] CH,EE
status_request[RFC6066] CH,CR,CT
supported_groups[RFC7919] CH,EEsignature_algorithms[RFC5246] CH,CR
use_srtp[RFC5764] CH,EE
heartbeat[RFC6520] CH,EE
application_layer_protocol_negotiation[RFC7301] CH,EE
signed_certificate_timestamp[RFC6962] CH,CR,CT
client_certificate_type[RFC7250] CH,EEserver_certificate_type[RFC7250] CH,CT
padding[RFC7685] CH
key_share CH,SH,HRR
pre_shared_key CH,SH
psk_key_exchange_modes CH
early_data CH,EE,NSTcookie CH,HRR
supported_versions CH
certificate_authorities CH,CR
oid_filters CR
post_handshake_auth CH
Acronym Message
CH ClientHello
SH ServerHello
EE EncryptedExtensions
CT CertificateCR CertificateRequest
NST NewSessionTicket
HRR HelloRetryRequest
![Page 44: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/44.jpg)
BackwardsCompatibilityConsiderations
• ProtocolVersionismentionedineverymessage.– Nowdeprecated/fixedtooldversionvalues
– Handshakeclaims1.2,AppDataclaims1.0.
– Newextensionspecifieslistofsupportedversions.
• Fixedvaluestopreventdowngradeattacks.– Server“Random”hasfixedlast8bytes
• DOWNGRD[0x01]forTLS1.2clients.
• DOWNGRD[0x00]for<=TLS1.1clients.
44
![Page 45: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/45.jpg)
Andthat’sTLSv1.3!
• Removed– Anythingthatwasunused,unsafeordidn’toffersignificantvalue.
• Added– Handshakeencryption.– 1-RTTand0-RTTPSK/SessionResumption.
• Changed– CipherSuites.– Handshake.– Hashed-KeyDerivationFunction(HKDF).– KeySchedule.– Sessions.
45
![Page 46: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/46.jpg)
THANKYOUFORLISTENING!
![Page 47: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/47.jpg)
Myownthoughts?
• TheGood:– Massiveefficiencygains*.
– FewerchoicesforClient&Servermeansreducedattackvectors.
• TheBad:– “Extensions….extensionseverywhere”(21)
– Alotofaddedcomplexityforbackwardscompatibility.
– Specificationconsumabilityisquestionable.
47*0-RTThasa“whiffoffutureregret”aboutit.
![Page 48: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/48.jpg)
APPENDIXUnusedSlides
48
![Page 49: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/49.jpg)
What’sthepointofthemastersecret?
• ClientandServerneed:– Keysforsymmetricencryption.– InitialisationVectorsforAEADCipherModes.
• Keys&IVsgeneratedfromamastersecret.
• TLSdefinesa“KeySchedule”– HowHKDFalgorithmisused.– Howtogenerateaninfiniteamountofsecurekeymaterial.
• So,howdoesHKDFwork?
49
![Page 50: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/50.jpg)
HMAC(ISTHENEWPRF)HMAC-basedExtract-and-ExpandKeyDerivationFunction
50
![Page 51: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/51.jpg)
WhatisHKDFusedfor?
• KeySchedules– HandshakeSecrets.– EarlyTrafficSecrets.– MasterSecret.– ApplicationDataSecrets.– InitialisationVectors.
• TranscriptHashes– CertificateVerification.– Handshake“Finished”Keys.
51
![Page 52: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/52.jpg)
HKDF(RFC5869) HMAC-basedExtract-and-ExpandKeyDerivationFunction
• TLS<=v1.2definesPRFalgorithm.– HKDFencapsulateshowTLSusesHMAC.– Re-usedinotherprotocols.– Separatecryptographicanalysisalreadydone.
• Provides2functions:– Extract-createapseudo-randomkeyfrominputs.– Expand-createmorekeysfromthefirstkey.
• HMACisintegraltoHKDF.
52
![Page 53: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/53.jpg)
CryptographicMACFunction:HMAC
• ItcreatesaMessageAuthenticationCodeusing:– Messagedata.
– Asharedkey.
– Acryptographichashalgorithm(setinciphersuite).
• SHA256orSHA384.
53
![Page 54: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/54.jpg)
MessageAuthenticationCodes-Integrity
• Keyed-HashMessageAuthenticationCode
54
Ight
message
0x5c5c5c5c5c5c5c…
HMAC
hash
XOR
XOR’dSecretKey
0x36363636363636…
XOR’dSecretKey
XOR
hash
hash
![Page 55: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/55.jpg)
HKDFExtract&Expand
• Extract– CreatesaPseudo-RandomKey(PRK)
Expand– CreatesinfinitekeymaterialfromthePRK.
– IterativelycallsHMACwithanincreasingcounter.
55
HKDF-Expand(PRK,info,L)->OKMT(0)=emptystring(zerolength)T(1)=HMAC-Hash(PRK,T(0)|info|0x01)T(2)=HMAC-Hash(PRK,T(1)|info|0x02)…
HKDF-Extract(salt,IKM)->PRKPRK=HMAC-Hash(salt,IKM)
![Page 56: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/56.jpg)
However,it’sunfortunatelynotthatsimple…
56
“tls13“
char[6]
Label
Variable[12]
Length
enum
HashValue
Variable[255]
Messages[1]
Variable
Messages[n]
Variable
Messages[0]
Variable
…Hash( )
Derive-Secret(Secret,Label,Messages[])=
HKDF-Expand(
Hash.Length)
Secret,
,
![Page 57: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/57.jpg)
ClientsaysHello
57
CHParameter Description Notes
ProtocolVersion Legacyslotforprotocolversion.
0x0303TLSv1.2
Random TheClientRandom NomoreUnixtime
SessionID SessionID Forced0bytelength
CipherSuites Symmetriccipheroptions OneofFive
CompressionMethods N/A Mustspecifynotsupported.
SupportedVersions Listofuint16 0x0304(TLSv1.3)
SignatureAlgorithms Listofsupported RequiredforClientCertAuth
NegotiatedGroups Requiredfor(EC)DHE
KeyShare Requiredfor(EC)DHE
Pre-SharedKey RequiredforPSK(incl.sessionresumption)
![Page 58: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/58.jpg)
FirstContact:ClientHello
• Clientinitiatestheconnection.• Contents:
– Version(Legacy)• Unused,mustbesetto0x0303(TLSv1.2)
– ClientRandom• UsedinPRFtocreatemastersecret.
– SessionID(Legacy)• Ignored,keptforbackwardscompatibility.
– SupportedCipherSuites• Whatciphersuitesthisclientcansupport.
– Compression(Legacy)• Ignored,keptforbackwardscompatibility
– Extensions(TLSv1.3)• ListofsupportedTLSversions(mandatory)
– Extensions(Others)• Otherextensions,e.g.SNI
58
![Page 59: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/59.jpg)
RSAKeyExchange&ForwardSecrecy
• TheproblemwithRSAkeyexchange:– Thepre-mastersecretisalwaysencryptedwiththepubliccertificatekeyinthecertificate.
– Thecertificatedoesn’tchange(often).
– Iftheprivatekeywasevercompromised,Evecouldreadeveryconversation.
59
![Page 60: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/60.jpg)
SHA-1&MD5Weaknesses
• Cryptographichashalgorithmfeatures:– Findanymandm’suchthathash(m)=hash(m’)– Findm’givenmsuchthathash(m)=hash(m’)– Findmgivenxsuchthathash(m)=x
• MD5vulnerabilities:– Collisionattack–done.– Theoreticalattackonpre-image(2123operations).
• SHA-1vulnerabilities:– Collisionsattack–given6500CPU-yearsor1000-GPUyears.– Reducedcryptographicstrengthfrom160bitsto77bits.
60
![Page 61: Overview of TLS v1 - OWASP · • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake,](https://reader030.vdocument.in/reader030/viewer/2022041115/5f251c7b1d56e17c25651111/html5/thumbnails/61.jpg)
RenegotiationAttacks[RRDO10]
61