tls 1.3: changes and impact on detection - suricon · 2019. 1. 9. · tls 1.3: changes and impact...
TRANSCRIPT
![Page 1: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/1.jpg)
TLS 1.3: changes and impact on detection
Pierre Chifflier
Agence Nationale de la Sécurité
des Systèmes d’Information
2018
![Page 2: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/2.jpg)
Introduction
![Page 3: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/3.jpg)
Who
Who
◮ Pierre Chifflier
◮ Head of the Detection Research lab at ANSSI
◮ Security, compilers and languages
◮ Rust enthusiast (parse all the things!)
◮ @pollux7
Note
◮ Thanks to the OISF + Suricata teams◮ also for accepting strange languages pull requests
ANSSI TLS 1.3 3/36
![Page 4: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/4.jpg)
Agenda
This talk will not be about Rust
◮ TLS 1.3: Background & History
◮ What’s New/Changed/Removed
◮ Impacts on Detection / New detection rules proposals
ANSSI TLS 1.3 4/36
![Page 5: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/5.jpg)
TLS 1.3: Changes
![Page 6: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/6.jpg)
TLS
tee; ls
Transport Layer Security
“Secure Communications”
◮ Confidentiality◮ Encryption◮ Threat: wiretapping
◮ Integrity◮ Detect message tampering◮ Threat: MITM
◮ Authentication◮ Make sure you talkwith the intended server◮ Threat: impersonation
ANSSI TLS 1.3 6/36
![Page 7: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/7.jpg)
TLS 1.3: History
◮ 1993: SSL v1 (never publicly released)
◮ 1994: SSL v2
◮ 1995: SSL v3
◮ 1999: TLS 1.0 (RFC2246)
◮ 2008: TLS 1.2 (RFC5246)
◮ 2011: SSL 2.0 prohibited (RFC6176)
◮ 2015: SSL 3.0 prohibited (RFC7568)
◮ 2015: Let’s Encrypt
◮ 2018 (August): TLS 1.3 ([RFC8446])
See [SSL/TLS and PKI History]
ANSSI TLS 1.3 7/36
![Page 8: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/8.jpg)
KeyGoals of TLS 1.3
Goals
◮ Clean up: remove unsafe or unused features
◮ Security: better algorithms (and less choices)
◮ Privacy: encrypt more elements
◮ Performance: reduce handshake (0-RTT and 1-RTT)
◮ Backward compatible
Performance
◮ More than 50% of internet traffic is encrypted!
◮ Lots of repeated sessions to same servers
ANSSI TLS 1.3 8/36
![Page 9: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/9.jpg)
Clean up: removing unsafe/unused features
Is a small Diffie-Hellman group a Diffie-Hellboy?
Deprecated/removed elements
◮ Key exchange: RSA (Bleichenbacher, DROWN,weak
Diffie-Hellman groups)
◮ Key exchange: custom (EC)DHE groups (CVE-2016-0701)
◮ Encryption ciphers: Export ciphers, DES, 3DES (Sweet32), RC4
(Bar-mitzvah, NOMORE), Camellia
◮ Hash algorithms: MD5, SHA-1 (SLOTH, SHAttered)
◮ Cipher modes (CBC) (Vaudenay, BEAST, Lucky13, POODLE)
◮ Compression (CRIME)
◮ Session renegotiation (Marsh Ray, Renegotiation DoS, Triple
Handshake)
ANSSI TLS 1.3 9/36
![Page 10: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/10.jpg)
Handshake
The handshake has three goals:
◮ Agree a cipher suite
◮ Agree amaster secret
◮ Establish trust between client & server
Optimizations for most common use cases:
◮ Choosing fast & secure parameters
◮ Same cipher suites used acrosswebsites repeatedly
◮ Client connect to the same sites repeatedly
ANSSI TLS 1.3 10/36
![Page 11: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/11.jpg)
Changes: Handshake
TLS 1.2
Source: cloudflare
TLS 1.3
ANSSI TLS 1.3 11/36
![Page 12: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/12.jpg)
Subliminal slide
Parsing ServerHello:
1 match parse_tls_record(&bytes) {
2 Err(e) => { err!("parsing failed: {:?}", e); },
3 Ok((rem, msg)) => {
4 match msg {
5 Handshake(ServerHelloV13(ref sh)) => {
6 log!("ciphersuite: {:x}", sh.cipher);
7 // ...
ANSSI TLS 1.3 12/36
![Page 13: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/13.jpg)
Changes: Cipher Suites
cipher? sweet!
Cipher Suites
◮ Only five ciphersuites (all AEAD)◮ TLS_AES_128_GCM_SHA256 (mandatory)◮ TLS_AES_256_GCM_SHA384◮ TLS_CHACHA20_POLY1305_SHA256◮ TLS_AES_128_CCM_8_SHA256◮ TLS_AES_128_CCM_SHA256
◮ DHE and ECDHE (5 each, but mostly X22519 and P-256)
ANSSI TLS 1.3 13/36
![Page 14: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/14.jpg)
Changes: Cipher Suites (2)
Hell, man
Removal of Static RSA and Diffie-Hellman Cipher Suites
◮ PFS nowmandatory
◮ Private Key no more useable for middle-boxes◮ Network monitoring, compliance, . . .◮ NCSC stands against
[TLS 1.3: better for individuals - harder for enterprises]◮ Reply from [Adam Langley]◮ Proposal for static DH [I-D.green-tls-static-dh-in-tls13]
ANSSI TLS 1.3 14/36
![Page 15: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/15.jpg)
Changes: Cipher Suites (3)
TLS 1.2 cipher suite naming convention
TLS 1.3 cipher suite naming convention
ANSSI TLS 1.3 15/36
![Page 16: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/16.jpg)
Other Handshake changes
Fall back and regroup
◮ Full handshake signature
◮ Downgrade protection (improve TLS_FALLBACK_SCSV)
◮ Curve 25519 and 448
ANSSI TLS 1.3 16/36
![Page 17: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/17.jpg)
Anti-Downgrade Protection
TLS 1.3 hasadowngradeprotectionmechanismembedded in the
server’s random value. TLS 1.3 servers which negotiate TLS 1.2 or
below in response to a ClientHello MUST set the last 8 bytes of
their Random value specially in their ServerHello.
If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of
their Random value to the bytes:
44 4F 57 4D 47 52 44 01
D O W N G R D 01
◮ Value stored in the ServerRandom
◮ Last byte to 00 if negotiating TLS 1.1 or below
◮ ServerRandom covered by signature
ANSSI TLS 1.3 17/36
![Page 18: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/18.jpg)
Changes: Resumption / Session Handling
TLS 1.2
Source: cloudflare
TLS 1.3 (0-RTT)
◮ Session ID/Ticket ⇒ Ticket+PSK
◮ Interesting for mobile/low-resources devices
ANSSI TLS 1.3 18/36
![Page 19: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/19.jpg)
Changes: Resumption and 0-RTT
0-RTT caveats
◮ Replayable
◮ No forward secrecy
◮ Trust server’s storage◮ for security◮ for Session Tickets duration
Workarounds
◮ Short Session Tickets
◮ Allow 0-RTT only for GET requests
◮ Requires to trust both client and server
ANSSI TLS 1.3 19/36
![Page 20: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/20.jpg)
Changes: Handshake Encryption
Super cool “Secret” handshake
Handshake Encryption
◮ Most of the handshake is now encrypted
◮ Including the server certificate
◮ Including many extensions
ANSSI TLS 1.3 20/36
![Page 21: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/21.jpg)
Changes: Key Schedule Generation
Nice curvesmakes TLS sexy
TLS 1.3: HKDF
◮ TLS <= 1.2 defines PRF algorithm
◮ TLS 1.3 replaces thiswith HKDF◮ HKDF encapsulates how TLS uses HMAC◮ Re-used in other protocols◮ Separate cryptographic analysis already done
◮ HMAC is integral to HKDF◮ HMAC requires the Cryptographic Hash algorithm specified in the
cipher suite (SHA256 or SHA384)
ANSSI TLS 1.3 21/36
![Page 22: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/22.jpg)
TLS 1.3: Impacts on Detection
![Page 23: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/23.jpg)
Handshake Encryption
Certificate Encryption
◮ Extracting certificates now impossible◮ Except for activemethods
◮ Nomore visibility from network
◮ Certificatewas useful for detection§
◮ Using SNI still possible
ANSSI TLS 1.3 23/36
![Page 24: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/24.jpg)
Handshake Encryption
The KnightsWho SayNi
Server Name Indication
◮ SNI can be used, but◮ encrypted SNI being added
[SNI Encryption in TLS Through Tunneling]◮ eSNI now in Firefox nightly
◮ We can still use Client/Server profiles◮ Detect new/changed profiles◮ tlsfingerprint.io◮ JA3 + JA3S hashes
ANSSI TLS 1.3 24/36
![Page 25: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/25.jpg)
Interesting Items for Detection
0-RTT
◮ 0-RTT is a security risk (replay, no PFS)
◮ ⇒ Detect/alert on early data extension
ANSSI TLS 1.3 25/36
![Page 26: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/26.jpg)
Interesting Items for Detection
Downgrade attempts
◮ Could indicate aMITM
◮ ⇒ Detect/alert ServerRandommagic bytes
ANSSI TLS 1.3 26/36
![Page 27: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/27.jpg)
Interesting Items for Detection
Other items
◮ Manymessages have been removed
◮ ⇒ Detect/alert other messages
ANSSI TLS 1.3 27/36
![Page 28: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/28.jpg)
Interlude: sleepingmeerkat
At this point I hope everyone is not asleep
ANSSI TLS 1.3 28/36
![Page 29: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/29.jpg)
Backwards compatibility
Other items
◮ Clients and Servers must be able to talk to previous versions
◮ ClientHello compatiblewith TLS <= 1.2◮ Some unused fields◮ Tons of extensions◮ Risks of data exfiltration / C2 commands
◮ ⇒ Check values
ANSSI TLS 1.3 29/36
![Page 30: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/30.jpg)
Handshake Encryption
Extensions
◮ 21 extensions in main RFC,many in others
◮ Cleartext instead of encrypted (and reverse)
◮ Invalid extensions combination
◮ Unexpected extensions
ANSSI TLS 1.3 30/36
![Page 31: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/31.jpg)
Subliminal slide (2)
Parsing extensions:
1 match parse_tls_extensions(&ch.ext) {
2 Err(e) => { err!("parsing failed: {:?}", e); },
3 Ok((rem, msg)) => {
4 match msg {
5 Encrypted(_) => { ... },
6 SNI(_) => { ... },
7 EarlyData(_) => { ... },
8 PreSharedKey(ref psk) => {
9 log!("session resumption");
10 // ...
ANSSI TLS 1.3 31/36
![Page 32: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/32.jpg)
The case of version
Jen, “This” is the Internet
TLS Version
◮ Negotiation of version
◮ TLS version is stored in:◮ the record header◮ the ClientHello◮ the supported_versions extension
◮ Usually, ClientHello claims 1.2, and record 1.0
◮ The extension specifies the supported (CH) / selected value (SH)
◮ ⇒ checking the version is much more complex
ANSSI TLS 1.3 32/36
![Page 33: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/33.jpg)
TLS 1.3:When
O’Browser,Where Art Thou?
Deployment status
◮ First push in browsers (Chrome 56), then pulled back
(“Bluecoat and other proxies hang up during TLS 1.3”)
◮ Most browsers now implements it◮ except that old OS/browserswill stay for long in companies
◮ OpenSSL 1.1.1, . . .◮ and custom implementations
◮ Will take longer for embedded, IoT, . . .
◮ Reductive answer to non-deployment: middleboxes
ANSSI TLS 1.3 33/36
![Page 34: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/34.jpg)
Conclusion
![Page 35: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/35.jpg)
Conclusion
Have you tried turning it off and on again?
TLS 1.3
◮ Huge changes (more 2.0 than 1.3)◮ Lots of improvements◮ Focused on privacy
◮ Reduce observable data◮ Still, many detection rules can bewritten◮ TODO: write them
◮ Upgradewill take some time!
ANSSI TLS 1.3 35/36
![Page 36: TLS 1.3: changes and impact on detection - SURICON · 2019. 1. 9. · TLS 1.3: changes and impact on detection Author: Pierre Chifflier Created Date: 11/15/2018 4:49:53 PM](https://reader036.vdocument.in/reader036/viewer/2022071218/6052b6e5ec91165d3254ec00/html5/thumbnails/36.jpg)
Questions?
More resources
◮ [RFC8446]
◮ https://tls13.ulfheim.net/
◮ Filippo Valsorda’s CCC talk
◮ Cloudflare blog
ANSSI TLS 1.3 36/36