was ist neu bei tls 1.3? - fraosug · • tls 1.3 protects the negotiated data as soon as it is...
TRANSCRIPT
History Crypto Primitives TLS < 1.3 Hands on Bibliography
Was ist neu bei TLS 1.3?TSLv1.3 – 21nd Century Internet Transmission Security
Dr. Erwin Hoffmann
November, 20th, 2018
1 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
Todays Agenda
• History of TLS and it’s cryptographic concepts• Working model of former TLS implementations• Changes done for TLS 1.3• OpenSSL 1.1.1 under OmniOSce• Installation of fehQlibs + ucspi-ssl• Protocol analysis using WireShark and ’testssl’
TLS 1.3. has been published in RFC 8446 after years of discussion in the IETFin August 2018. Since September 2018 OpenSSL 1.1.1 is available supportingTLSv1.3. My software ucspi-ssl-0.10 is OpenSSL 1.1.1 enabled and used heretogether with OmniOS (r15028).
2 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
Internet security protocols
Transport Layer Security (TLS) – aka Secure Socket Layer (SSL) – is a fundamentalIT security concept and in particular used for Web encryption (HTTPS) and encryptedemail transmission (ESMTPS/ESMTP+StartTLS).
Dark FiberBit transmission PHYPHY
MAC MAC
IP IP
TCP/UDP TCP/UDP
TLSTLS TLS Tunnel
Router function
HTTPS HTTPS
SSH SSHprotected TLS end-to-end transmission
protected messages
IPsec packets
TLS-Records
Message User (authenticated)
Application
Instance(stateful)
Instance(stateless,stateful)
Instance (authenticated)
Security Association via IPsec
MAC framesMACsec WPA(2)
Wireless
Figure: IT security protocols in a layered view
↪→ The cryptographic framework and routines are also used for SSH, PGP, IPSec andWiFi (WPA2), though in a different context.
3 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
Development of cryptographic standards and protocols
Dark FiberBit transmission PHYPHY
MAC MAC
IP IP
TCP/UDP TCP/UDP
TLSTLS TLS Tunnel
Router function
HTTPS HTTPS
SSH SSHprotected TLS end-to-end transmission
protected messages
IPsec packets
TLS-Records
Message User (authenticated)
Application
Instance(stateful)
Instance(stateless,stateful)
Instance (authenticated)
Security Association via IPsec
MAC framesMACsec WPA(2)
Wireless
Figure: Cryptographic standards since the Unix epoch
4 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
The #4 Crypto Primitives
Internet
CA’sprivate key
σ: Signature Primitive
DSA, DSS
!: Ke
y Ex
chan
ge P
rim
itiv
e
RSA
, Dif
fie-
Hel
lman
: En/Decryption PrimitiveC
Block + Stream ciphers (AES, ChaCha)
MD
5, S
HA
, Pol
y130
5
h : H
ash
Prim
itiv
e
Bob’sprivate key
public keyBob’s
public keyCA’s
CertificateAuthority (CA)
Asymmetricalcrypto
Symmetricalcrypto
BobAlice
Figure: The #4 crypto primitives5 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS Use Cases
EHLO client220 hostname EMSTP
250-hostname250-PIPELINING250-8BITMIME250-SIZE 0250-AUTH LOGIN250 STARTTLS
TCP SYN
STARTTLS220 Ready to start TLS
SMTP-Server
TCPListenPort 25
Internet
EHLO client220 hostname EMSTP
250-hostname250-PIPELINING250-8BITMIME250-SIZE 0250 AUTH LOGIN
TCP SYN
SMTP-Client(MUA)
SMTPS-ServerTCPListenPort 465
TLS Tunnel
Internet
a) b)
TLS Handshake
TLS TunnelTLS Handshake
SMTP-Client(MUA)
Figure: Immediate TLS and delayed TLS encryption; aka STARTTLS / STLS
• Immediate/mandatory TLS encryption: HTTPS, SMTPS, LDAPS, IMAPS,POP3S, QMTPS
• Delayed/optional TLS encryption: ESMTP + StartTLS, POP3 + STLS
6 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS Networking Layering
Internet Protocol (IP)Transmission Control Protocol (TCP)
HTTP, SMTP, LDAP, ...
Application protocolTLS Record Layer Protocol
AlertChange CipherSpec
Hand-shake
Heart-beat
(Type 24) (Type 22) (Type 20) (Type 21)(Type 23)
User Datagram Protocol (UDP)
Figure: TLS protocol layering
• TLS is located on top of TCP/UDP (layer 4+5) and below the application layer(7).
• It provides a ’mini’ layering.• The Record layer can be considered as transmission layer: The workhorse.• Handshake, Change Cipher and Alert messages are mostly un-encrypted (using a
NULL-encryption).• The Application messages are encrypted and protected.• The Heartbeat Protocol was added in 2011 with only rough evaluation (and fatal
consequences).7 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
The #4 Crypto Primitives within TLS < 1.3: The HandshakeTLS < 1.3 provides three different ways of handshakes:
• RSA handshake usingstatic RSA public andprivate keys (the RSApublic key is part of theX.509 certificate).
• Diffie-Hellman using theDiscrete Logarithmalgorithm (DHE) whileproviding ephemeral keys.The DH parameters canbe configured andchanged frequently.
• Diffie-Hellman withElliptic CurveCryptography (ECDHE).Curves and the DHparams (as starting pointfor the calculation aretypically fixed by theimplementation.
Internet (TLS-)Server(TLS-)Client
123
5678
910
ClientHelloServerHelloCertificate
ServerHelloDoneClientKeyExchangeChangeCipherSpecFinished
ChangeCipherSpecFinished
TCP segment TCP
segment=
IP packet
secured TLS connection
4ServerKeyExchange
TCP Three Way Handshake
TCP segment
TCP segment
Figure: TLS handshake message exchange
8 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
The #4 Crypto Primitives within TLS < 1.3: EncryptionTLS as the successor of SSL supports different sets of symmetrical de/encryption:Block ciphers:
• 64 bit key-length ��DES• 128 bit key-length ���3DES• 128, 256, 384, 512 bit key-length AES
↪→ The Block Ciphers are often used in ’stream-ing mode’: CBC, OFB, GCM.
Stream ciphers:• 40 + 128 bit key-length ��RC4• ChaCha20 (with TLS 1.2)
Symmetrical En-/De-cryption
Block Cipher
Stream Cipher
Feistel Chiffres (DES, 3DES,Lucifer, TEA)
Rijndael Chiffres (AES, Blowfish,
Serpant, Idea)
Cipher stream (RC4, A5/1+A5/2) One Time Pad
ECB CBC CFB S-Box LFSR NFSR
IV
+
common secret key Input data
Encryption-algorithm/implementation
Operations mode GCM
Cipher stream generation
fixed key
pseudo-random key
Steps:
Figure: TLS symmetric encryption9 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
The #4 Crypto Primitives within TLS < 1.3: Integrity Check
• TLS (1.2) uses a keyword authenticated hash to provide authenticity and integrityfor the data: Message Authentication Code (keyed MAC).
• Since TLS employs both stream and block encryption, hashing is done per TLSrecord prior of encryption: MAC-then-encrypt (MtE).
MACMessage(s)
RLHeader
Length (2 Byte)Version (2 Byte)Protocol (1 Byte)
encrypted (optional)
Hashvalue
MP
Padding(optional )
Protocol =
MAC
Data of the application protocol
CompressionSegment
MACcalculation
Encryption
Record Layer Frame
Record LayerHeader
Segment Segment
Authkey
Sessionkey (+IV)
PL
20: ChangeCipherSpec Protocol21: Alert Protocol22: Handshake Protocol23: Application Protocol (HTTP, ….)24: Heartbeat Protocol (DTLS; maybe also TLS)
Figure: Checking the integrity of transmitted data
10 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
The #4 Crypto Primitives within TLS < 1.3: Cipher Suites• Crypto primitives used for the current session are provided as Cipher Suite.• The TLS protocol enumerates the sets fo crypto primitives.
TLS _KeyExchange+Authentication Encryption+Operational mode MAC
RSADH/DHEECDH
Null*RC4(_40/_56/_128)DES(_40/_56)3DES_EDE(3)AES(_128/_256/_512)RC2(_128/_256)SEEDCAMILLA
ECB(default)CBCGCM
Anonymous DHRSARSA (Export)DSADSSECDSA
NullMD5SHA(1)SHA256SHA384
*) Stream cipher;all others:Block ciphers
__
Figure: TLS Cipher Suites [RFC 3268]
CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };
CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 };CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };
11 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS < 1.3: Keymaterial and Keys• TLS uses a variety of hash functions to derive deterministically the
PreMasterSecret and the Session keys from the input material.• Hash functions are used to ’diffuse’ the input and thus pseudo random sequences
with significant entropy are the result.• This is called a ’Pseudo Random Function’ PRF.
ServerRandom ClientRandom'A' SHA
MD5
PreMasterSecret Hash
SHA
SHA
MD5
PreMasterSecret Hash
PreMasterSecret Hash MD5
Hash Hash Hash
Hash Hash Hash
PreMasterSecret ServerRandom ClientRandom'BB'
PreMasterSecret ServerRandom ClientRandom'CCC'
Hash HashHash
3 * 128 bit
} } }
MAC Secret Session Secret IV
Client Server Client Server Client Server
Initialisation vector IV: a) For Stream ciphers - or - b) for CBC/GCM operation mode
PreMasterSecret
Figure: Generating the PreMaster and the Session secrets
↪→ Given RSA encryption, the only ’random’ number is the client’s random providedduring the handshake. For Diffie-Hellman, client and server deliver a random value.
12 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS < 1.3: Weaknesses
• Backward compatibility with ancient SSL 2.0 (older versions): Renegotiation.• ’Export ciphers’ suited for NSA de-cryption.• Control messages (Alerts, CCS) transmitted in clear text.• No particular state model, thus attacker can interrogate at any point.• Some Cipher suites (in particular with CBC) are weak or even bad.• Very little control on negotiated Cipher suites (mod_ssl).• Handshake is slow.• Session Resumption with persistent data.• Handshake can be broken up (MitM).• MtE delivery valuable information for a hacker given its data decryption.
↪→ TLS (as successor of SSL) is broken by design; it is ’just’ working and deployed ...everywhere.
13 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS 1.3 – SummaryAfter years of discussion, the IETF released TLS 1.3 in RFC 8446 (and RFC 8447.
• The TLS 1.3 core is a complete redesign.• Compatibility with older TLS version is provided supporting its ’skeleton’
behaviour and faking a TLS 1.2 handshake.• As already used in previous TLS releases, TLS 1.3 uses the ’Hello Message’ to
transport the new parameters.• ECDHE key exchange is mandatory and the only one!• TLS uses only a very restricted set of Cipher Suites.• Those Ciphers Suites (apart from AES and GCM) are mainly based on Dan
Bernstein’s developments.• TLS 1.3 protects the negotiated data as soon as it is possible during the
handshake.• ’Early’ Application Data can be transmitted in the handshake.• The handshake in TLS 1.3 is much more efficient and – using Session Resumption
– provides a 0RTT capability.
↪→ Though trying to cope with older TLS versions, TLS 1.3 is a different beast. Some’Middleboxes’ don’t allow to let the TLS 1.3 traffic through, since it does not look likeas expected.
14 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS 1.3 – HandshakeThe TLS 1.3 is much more efficient using an early encryption scheme.
Internet (TLS) Server(TLS) Client
1
Finished (HKDF/Handshake)
Message
2a
TCP Session established
a)
Version = 3.3, Random, Nonce, Cipher Suites, C = 0,
ClientHello
Version = 3.3, Random, SessionID, Cipher Suite, C = 0,
ServerHello
Certificate Verify (signature TH)Certificate
3 Finished (HKDF/Handshake)
Generates Master & Session keys
TLS Connection
Verifies CertificateGenerates Master & Session keys
Internet (TLS) Server
(TLS) Client
1
Finished (HKDF/Handshake)
MessageTCP Session established
b)
Certificate Verify (signature TH)Certificate
Finished (HKDF/Handshake)TLS Connection
Certificate Request
CertificateCertificate Verify (signature TH)
Version = 3.3, Random, Nonce, Cipher Suites, C = 0,
ClientHello
Version = 3.3, Random, SessionID, Cipher Suite, C = 0,
ServerHello
Key
Exc
hang
eAu
then
ticat
ion
Message
2b2c2d
2a
2b2c2d2e
3a
3c3b
Extensions: ’x304’, ALPN
Extensions: ’x304’, ADP
Extensions: ’x304’, ALPN
Extensions: ’x304’, ADP
en-crypted en-
crypted
HKDF(shared secret,“s/c hs traffic“,TH)HKDF(shared secret,“c/s app traffic …“,TH)
Traf
fic ke
y
Application key
Figure: TLS 1.3 Handshake; (a) without and (b) with Client Certificate Request; ALPN: ApplicationLayer Protocol Notifications
Only three messages are exchanged:Client → Server The (unencrypted) Client Hello message.Server → Client The Server Hello message: The first part including protocol artefacts in
clear text; the further parts are encrypted with a provisional secret(Traffic Key) covering in particular the X.509 cert.
Client → Server The encrypted Finish message, telling that the Application Key isready for use. 15 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS 1.3 – Cipher Suites
TLS _KeyExchange+Authentication Encryption+Operational mode MAC
ECDHENullAES_128_GCM_SHA256 AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256AES_128_CCM_SHA256 AES_128_CCM_8_SHA256
SHA-256SHA-384
__
secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),x25519(0x001D),x448(0x001E)
Figure: TLS 1.3 Cipher Suites
CipherSuite TLS_AES_128_GCM_SHA256 {0x13,0x01}CipherSuite TLS_AES_256_GCM_SHA384 {0x13,0x02}CipherSuite TLS_CHACHA20_POLY1305_SHA256 {0x13,0x03}CipherSuite TLS_AES_128_CCM_SHA256 {0x13,0x04}CipherSuite TLS_AES_128_CCM_8_SHA256 {0x13,0x05}
Note: CCM = Cipher Block Chaining - Message Authentication Code (CBC-MAC)
↪→ No particular Authentication method is indicated. Apart from PSK all TranscriptMessages are authenticated requiring a valid server X.509 certificate.
openssl ecparam -list_curves
16 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS 1.3 – Record Layer
MACMessage(s)
RL-Header
Length (2 Byte)Version (2 Byte)Content type (1 Byte)
encrypted (optional)
Hashvalue
MP PL
Padding(optional )
HMAC
Application data
CompressionSegment
MAC-calculation
Encryption
Record Layer Frame
Record LayerHeader
Segment Segment
a) b)
Message(s)
Length (2 Byte)Version = x’303’Content type (1 Byte)
Zero
Application data
Segment
AEADencryption
Record Layer Frame
Record LayerHeader
Segment Segment
d)
c)
Paddingoptional
SecretNonceAdditional data
Content type Padding length (1 Byte)
Figure: TLS 1.3 a) Record layer structure w and c) w/o MAC, b) Record with MAC, d) Record withAEAD
17 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS 1.3 – Keys
HKDF-Extr.Handshake
SecretHandshake Secret,
„s hs traffic“,TSH(HelloMessages)
Handshake Secret, „c hs traffic“,
TSH(HelloMessages)
HKDF-Extr.Master Secret
Master Secret, „c ap traffic“,
TSH(HelloMessages)
Master Secret, „s ap traffic“,
TSH(HelloMessages)
Master Secret, „exp master“,
TSH(HelloMessags)
Master Secret, „res master“,
TSH(HelloMessages)
HKDF-Extr.Early Secret
Early Secret, „c e traffic“,
TSH(ClientHello)
Early Secret, „ext binder |
res binder“, „∅“
Early Secret, „e exp master“,
TSH(ClientHello)
(EC)DHESecret
Early Secret, „derive“, „∅“
Pre Shared Keys
Handshake/Key Exchange
Traffic En/Decryption
binder key(Label)
Client Early Traffic Secret
Early Exporter Master Secret
Client Traffic Handshake Secret
Server Traffic Handshake Secret
Client ApplicationTraffic Secret_0
Server ApplicationTraffic Secret_0
Exporter Master Secret
PSK | 0
Resumption Master Secret
0
DerivedSecret
DerivedSecret
Handshake Secret, „derive“, „∅“
0
none
-de
term
inis
tic
Key GenerationPipeline
Session ResumptionPRF Exporter
itera
tive
key
gene
ratio
n
stateful key usage
Figure: TLS 1.3 Key generating procedure using HKDF18 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS 1.3 – PSK & 0RTT and Grease
Session Resumption is possible withinTLS 1.3 provided, both client andserver store the negotiated secret (per-sistently):Pre-shared Keys (PSK).
The PSK secret is indicated in the ClientHello message providing a hash of thePSK and coupled with the identity of theclient.
↪→ In this case, a TLS session can lit-erally succeed in one step, thus 0-RTT.However, this breaksPerfect Forward Secrecy (PFS)
Grease:Generate Random Extensions AndSustain Extensibility can applied byclient or server to ’test’ the counter-parts TLS 1.3 capabilities indicating’invalid’ Cipher Suites in the Hellomessage.
Internet
(TLS) Server
(TLS) Client
1Message
2
TCP Session established
Versions= 3.3, Random, Nonce, CipherSuites, Compression = 0
ClientHello
Version = 3.3, Random, SessionID,Cipher Suite, Compression = 0
ServerHelloRetry
Supported Vers: …Key Share Hello Retry Request: x25519
Supported Vers: ’x304’Grease Supported Groups: x25519, secp256r1, …Key Share Entry: GreaseKey Share Entry: x25519 cd34bb1ac39….
Exte
nsio
ns
matching
k
Finished (HKDF/Handshake)TLS Connection
3
Ticket Lifetime, Ticket AgeTicket Nonce, Ticket …., Extensions
New Session TicketStores PSK-Label& Session keys
Figure: TLS 1.3 using Pre-shared Keys 19 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
TLS 1.3 – 1RTT
Session establishment can be acceler-ated in case both client and server don’tneed to negotiate the Cipher, but ratherprovide a quick focus: 1-RTT.
In this case, the client indicates to theserver to know already the (otherwisetransmitted) DH-Params and the cho-sen curve (for ECC) for a quick negoti-ation.
↪→ However, the server may havechanged its DH-Params, thus this pro-cedure would not work out. Rather,in this case, the server sends a HelloRetry message telling the new DH-Params. This procedure obviously doesnot violate PFS, since only protocolartefacts are provided by the client.
Internet (TLS) Server
(TLS) Client
1aMessage
2a
TCP Session established
Versions= 3.3, Random, Nonce, CipherSuites, Compression = 0
ClientHello
Version = 3.3, Random, SessionID,Cipher Suite, Compression = 0
ServerHelloRetry
Supported Vers: …Key Share Entry: x25519Key Exchange: ef1bc93..
Exten
sions
2bApplication Data (23)
matching
1b Early Data (23)
Key Share Entry: x25519cd34bb1ac39….PSK Kex Exchange Modes:psk_dhe_kePSK Identity: identity, obfuscated ticket agePSK Binder: HMACsOffered PSK:identity, binders
Figure: TLS 1.3 using 1-RTT message exchange
20 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
Commercial spot
AU
TOR
ENH
EAD
LIN
E
Inklusive: Kapitel zum Internet of Things
anatol BADACH erwin HOFFMANN
Technik der IP-NETZE
INTERNET-KOMMUNIKATION IN THEORIE UND EINSATZ
4. Aufl age
Figure: Technik der IP-Netze (4th edition)
21 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
Implementation
OpenSSL 1.1.0:• Install OpenSSL 1.1.1 on OmniOSce – however without overwriting previous Libs.• How to tell which OpenSSL is installed?
fehQlibs + ucspi-ssl:• Install fehQlibs (under /usr/local).• Install ucspi-ssl using fehQlibs and OpenSSL 1.1.1.• How can you tell that OpenSSL 1.1.1 is in use for a client/server?
testssl:• Install Dirk Wetter’s ssltest from https://github.com/drwetter/testssl.sh• Test TLS 1.3. for some sites (including Google and fehcom).
WireShark:• Install WireShark (> 2.5).• Record a TLS 1.3 connection setup and do an interpretation of the negotiation.
22 / 23
History Crypto Primitives TLS < 1.3 Hands on Bibliography
Bibliography
• RFC 8446• RFC 8447• https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08
23 / 23