not-quite-so-broken tls 1 · not-quite-so-broken tls 1.3 mechanised conformance checking david...
TRANSCRIPT
![Page 1: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/1.jpg)
NOT-QUITE-SO-BROKEN TLS 1.3MECHANISED CONFORMANCE CHECKING
David Kaloper Meršinjak Hannes Mehnert
University of Cambridge, Computer LabsTRON, 21 February 2016
![Page 2: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/2.jpg)
MOTIVATIONInternet standards are written informal as RFCPeople interpret RFCs differentlyPrimitives (HMAC, AES, ..) can be tested using staticvectorsProtocols include choice pointsState space explodes
![Page 3: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/3.jpg)
TLS TESTING NOWADAYSTest against widely deployed implementationsUsing different command-line options to cover positivespaceAnybody automated tests of renegotiation/resumption?Interoperability with Widely deployed implementationEven if violating RFC
be conservative in what you do, be liberalin what you accept from others -- Postel
![Page 4: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/4.jpg)
SOME PROBLEMSSignatureAlgorithms are not used for certificate selectionPadding (client hello) included length (servers MAYcheck)Blocking semantics during renegotiationEarly CCS: RFC does not state all preconditions for amessage
![Page 5: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/5.jpg)
CHOICE POINTSFragmentation and paddingClient: ciphersuites, extensions, signature algorithmsClient: which keyshares to transfer?Server: version, key exchange (PSK? 0RTT?), ciphersuiteServer: certificate chain (SigAlgs, ciphersuite, KeyShare,SNI)Server: encrypted extensions (pretty clear guideline)
![Page 6: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/6.jpg)
OUR CONTRIBUTIONKeep in mind: all records besides hellos are nowencrypted!Provide tools for automated testing and analysisSupport TLS implementors with tools for debugging
![Page 7: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/7.jpg)
BACKGROUND: NQSB-TLSA clean-slate TLS 1.x implementation/modelStarted beginning of 2014Around 6000 lines of OCaml codeInteroperates with major stacksPerformance same ballpark as OpenSSLProtocol handler without side effects:
Transforms TLS state and input bytes toError OROk (new TLS state, out bytes, decrypted payload)
![Page 8: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/8.jpg)
STATUS OF NQSB-1.3loc: 1862 insertions, 358 deletions (now 6000)1.3 state machine separate (apart from hello handling)draft11Can talk to itself :) (DHE, PSK, DHE-PSK)Missing 1.3 features: ECC, 0-RTT, client authentication
![Page 9: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/9.jpg)
NQSB-1.3 TESTING TOOLSCheck conformance of YourTLS by exploring its statespaceRender sequence diagrams from traceReplay recorded traceValidate session between any two stacks
![Page 10: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/10.jpg)
CONFORMANCE CHECKINGExplores state space by enumerating choice points in nqsbExecutes unmodified YourTLS with all sequences ofchoicesCovers space of valid interactionsReports sequences of choices which lead to failure
![Page 11: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/11.jpg)
![Page 12: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/12.jpg)
WIP: CONFORMANCE CHECKINGRead pre-shared keysRead ServerConfiguration and secret for 0-RTTEvaluate code coverage in nqsb and YourTLSTrigger post handshake authentication if YourTLS serverNegative tests
![Page 13: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/13.jpg)
VISUALISATIONInput: recorded trace from nqsbRenders trace as sequence diagram (terminal/html)Purpose: easier to analyse than a trace as textWIP: PDF outputWIP: online server with database
![Page 14: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/14.jpg)
A live demo of vis
![Page 15: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/15.jpg)
![Page 16: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/16.jpg)
![Page 17: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/17.jpg)
WIP: REPLICATIONInput: trace, ephemeral and static secret, YourTLS binaryReplays one side of trace against YourTLSReports discrepancy in behaviourRecords new trace
![Page 18: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/18.jpg)
WIP: SESSION VALIDATIONInput: session as TCP stream, ephemeral and static secretsValidates session against nqsb-TLS protocol handlerLooks ahead for decisions (ciphersuite, random, ..)Result: would nqsb have also accepted/denied the session?(outdated 1.2/1.1/1.0 version available at
)https://github.com/hannesm/trace-checker
![Page 19: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/19.jpg)
EARLY DRAFT11 COMMENTSShould signing (PSS) hash handshake_log again (#407)?NewSessionTicket: one or any number after a singleFinished?NewSessionTicket: one more after client authentication?NewSessionTicket: useful after PSK/(EC)DHE_PSK?Fragment buffers must be empty before switching cryptoRely on 32bit UNIX epoch time (#348)KeyShareEntry encoding (#410)
![Page 20: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/20.jpg)
INSTALLATIONRequires OCaml >= 4.02.2 and opam >= 1.2.2( )opam remote add tls13https://github.com/mirleft/tls13-opam.gitopam updateopam install tls (provides echo_client, echo_server,etc.)opam install tlstoools (provides tlsweb and tlsvis)
http://ocaml.org
![Page 21: NOT-QUITE-SO-BROKEN TLS 1 · NOT-QUITE-SO-BROKEN TLS 1.3 MECHANISED CONFORMANCE CHECKING David Kaloper Meršinjak Hannes Mehnert University of Cambridge, Computer Labs TRON, 21 February](https://reader033.vdocument.in/reader033/viewer/2022060507/5f21c0afc43cec49c66520b9/html5/thumbnails/21.jpg)
CONCLUSIONA partial TLS 1.3 implementation/modelConformance checking, used as mechanised specificationEager to get interoperability working with YourTLS!2-clause BSD licensedContact: Information:
[email protected]://nqsb.io