sử dụng tls đúng cách - phạm tùng dương
DESCRIPTION
Sử dụng TLS đúng cách - Phạm Tùng DươngTRANSCRIPT
![Page 1: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/1.jpg)
State-‐of-‐the-‐Art Using TLS
@duongkaiSecurity Bootcamp, Da Nang, 2014
![Page 2: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/2.jpg)
/me✓ Phạm Tùng Dương ✓ Solution Engineer @ISP ✓ Security Interested
![Page 3: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/3.jpg)
This Talk is All About UsingWhen I say SSL It means TLS and/or SSL
![Page 4: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/4.jpg)
It is can be written a bookHope I can do well in this talk!
![Page 5: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/5.jpg)
Yeah, and Some…It’s Soooo Sleepy!
![Page 6: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/6.jpg)
Somewhere on the Earth…
![Page 7: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/7.jpg)
SSL-‐by-‐default
![Page 8: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/8.jpg)
It’s Important Than Ever
![Page 9: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/9.jpg)
Protocol Attacks✓2009: SSL Insecure Renegotiation ✓2011: BEAST ✓2012: CRIME ✓2013: RC4 biases, Lucky 13, BREACH ✓2014: POODLE
![Page 10: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/10.jpg)
And in 2014✓Heartbleed and CCS in OpenSSL ✓Goto in GnuTLS ✓BERserk in Mozilla NSS ➔ 3 Biggest SSL implementations
![Page 11: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/11.jpg)
In Pentest Industry
![Page 12: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/12.jpg)
You Are Doing Wrong✓It’s too complex. ✓Crypto related is often hard to
understand.
![Page 13: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/13.jpg)
SSL IN ACTIONOr Your Service Should Be SSL By Default!
![Page 14: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/14.jpg)
SSL Version✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical
attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed
https://www.trustworthyinternet.org/ssl-‐pulse/
![Page 15: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/15.jpg)
SSL Version✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. It
NOT SECURE NOW. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed
https://www.trustworthyinternet.org/ssl-‐pulse/
![Page 16: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/16.jpg)
Protocol In A Glance
![Page 17: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/17.jpg)
DHE-‐RSA-‐AES256-‐SHA
Cipher Suite
![Page 18: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/18.jpg)
Terms✓CSR, Certificates, EV-‐Cert and CA. ✓Private key. ✓Block ciphers vs Stream ciphers ✓PFS (﴾Letter E)﴿: Perfect Forward Secrecy ✓Curves and Curves: Elliptic Curve ✓X509, PEM, PKCS#12 and conversion. ✓OpenSSL
![Page 19: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/19.jpg)
Checklist1. Updated the latest version (﴾OS, software)﴿ 2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 3. Know your legacy. 4. Configure TLS on your system. 5. Verify TLS configuration with your own hands.
![Page 20: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/20.jpg)
Explanation2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 ✓ 1024 bit is weak and can be broken easily.[1] [1]https://isc.sans.edu/diary/Confusion+over+SSL+and+1024+bit+keys/18775 ✓ SHA192 is on the way to be deprecated[2] [2]https://konklone.com/post/why-‐google-‐is-‐hurrying-‐the-‐web-‐to-‐kill-‐sha-‐1 ✓ 4096 is consuming CPU too much
3. Know your legacy ✓ Supported protocol version. ✓ Supported cipher suites. ✓ Your compliance.
![Page 21: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/21.jpg)
Explanation4. Configure TLS on your system. ✓ Avoiding insecure ciphers: RC4, DES, 3DES, MD5, SHA1,… ✓ Turn off SSLv3 support ✓ Turn off compression ✓ AES-‐128 is good enough (﴾both secure and faster)﴿. ✓ Enable PFS if supported. ✓ Switch to using Poly1350, Salsa-‐20 and EC ✓ Reference
https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite https://bettercrypto.org/static/applied-‐crypto-‐hardening.pdf
![Page 22: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/22.jpg)
Explanationssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5; ssl_prefer_server_ciphers on; CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf
![Page 23: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/23.jpg)
Explanationssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5; ssl_prefer_server_ciphers on;
CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf
![Page 24: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/24.jpg)
24
![Page 25: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/25.jpg)
Explanation: A+ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Session Resumption
ssl_session_timeout 20m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
# Enable OCSP stapling (req. nginx v 1.3.7+)
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-‐RSA-‐AES256-‐GCM-‐SHA384:ECDHE-‐RSA-‐AES128-‐SHA256:ECDHE-‐RSA-‐AES128-‐SHA:DHE-‐RSA-‐AES128-‐SHA:RC4-‐SHA;
…
add_header Strict-‐Transport-‐Security "max-‐age=31536000; includeSubdomains";
https://gist.github.com/kennwhite/25183c3f05266ee0ad7f
![Page 26: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/26.jpg)
Explanation5. Verify TLS configuration with your own hands. ✓ Openssl s_client ✓ Cipherscan and some browser tools ✓ https://www.howsmyssl.com/ ✓ https://cc.dcsec.uni-‐hannover.de/ ✓ iSec Partner SSLyze ✓ SSLLabs (﴾https://www.ssllabs.com/)﴿ ✓ Make your hands dirty
![Page 27: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/27.jpg)
DEMO TIMEIf I have enough time…
27
![Page 28: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/28.jpg)
Reference[1] HTTPS Everywhere, Ilya Grigorik https://docs.google.com/presentation/d/15H8Sj-‐Zol1tcum0CSylhmXns5r7cvNFtzYrcwAzkTjM/present#slide=id.g12f3ee71d_10 [2] SSL Pulse Project https://www.trustworthyinternet.org/ssl-‐pulse/ [3] How is my SSQL now https://www.howsmyssl.com/ [4] The Art and Science of SSL Configuration, Nick Galbreath https://speakerdeck.com/ngalbreath/the-‐art-‐and-‐science-‐of-‐ssl-‐configuration [5] Bulletproof TLS and SSL, Ivan Ristic, ISBN: 978-‐1907117046 !Special Thanks to authors of photos about Da Nang and Hoi An (on Flickr): pierre_thach, nemesis1903 28
![Page 29: Sử dụng TLS đúng cách - Phạm Tùng Dương](https://reader031.vdocument.in/reader031/viewer/2022013107/547e6f0db379597b2b8b548f/html5/thumbnails/29.jpg)
29
Q&A