1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Similar documents
Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

The Mathematics of the RSA Public-Key Cryptosystem

Overview of Public-Key Cryptography

Lukasz Pater CMMS Administrator and Developer

Public Key Cryptography Overview

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Computer Security: Principles and Practice

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CRYPTOGRAPHY IN NETWORK SECURITY

7! Cryptographic Techniques! A Brief Introduction

Cryptography and Network Security

Notes on Network Security Prof. Hemant K. Soni

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Public Key (asymmetric) Cryptography

Public Key Cryptography and RSA. Review: Number Theory Basics

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

RSA Attacks. By Abdulaziz Alrasheed and Fatima

An Introduction to Cryptography as Applied to the Smart Grid

Is Your SSL Website and Mobile App Really Secure?

SECURITY IN NETWORKS

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

CSCE 465 Computer & Network Security

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Implementation of Elliptic Curve Digital Signature Algorithm

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Lecture 9: Application of Cryptography

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Cryptography and Network Security Chapter 9

Elements of Applied Cryptography Public key encryption

Savitribai Phule Pune University

Cryptography and Network Security Chapter 10

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

How To Encrypt Data With Encryption

White Paper. Enhancing Website Security with Algorithm Agility

Installation and usage of SSL certificates: Your guide to getting it right

Introduction to Cryptography

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

IT Networks & Security CERT Luncheon Series: Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Shor s algorithm and secret sharing

CS 758: Cryptography / Network Security

A Novel Approach to combine Public-key encryption with Symmetric-key encryption

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

The Factoring Dead Preparing for the Cryptopocalypse

, ) I Transport Layer Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Chapter 10. Network Security

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

[SMO-SFO-ICO-PE-046-GU-

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Secure Key Exchange for Cloud Environment Using Cellular Automata with Triple-DES and Error-Detection

SSL Handshake Analysis

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

Chapter 7: Network security

A SOFTWARE COMPARISON OF RSA AND ECC

Lecture 6 - Cryptography

Symmetric Key cryptosystem

Chapter 7 Transport-Level Security

Bit Chat: A Peer-to-Peer Instant Messenger

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Table of Contents. Bibliografische Informationen digitalisiert durch

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Transport Level Security

Some solutions commonly used in order to guarantee a certain level of safety and security are:

The science of encryption: prime numbers and mod n arithmetic

Software Tool for Implementing RSA Algorithm

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Applied Cryptography Public Key Algorithms

PGP (Pretty Good Privacy) INTRODUCTION ZHONG ZHAO

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Security in Computer Networks

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

A Survey of the Elliptic Curve Integrated Encryption Scheme

CPSC 467b: Cryptography and Computer Security

National Security Agency Perspective on Key Management

CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING

An Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm

CrypTool Claudia Eckert / Thorsten Clausius Bernd Esslinger / Jörg Schneider / Henrik Koy

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Cryptography: Authentication, Blind Signatures, and Digital Cash

Overview. SSL Cryptography Overview CHAPTER 1

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

2014 IBM Corporation

Properties of Secure Network Communication

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Transcription:

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1

Agenda Part 1: Introduction Why is Forward Secrecy important? Technology Overview RSA Algorithm Diffie-Hellman Performance Impact Increasing adoption of Forward Secrecy Part 2: Deep Dive RSA Algorithm Diffie-Hellman Elliptic Curve Cryptography (ECC) Implementing Forward Secrecy 2

What s the problem? http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security http://www.theguardian.com/technology/2014/apr/08/heartbleed-bug-puts-encryption-at-risk-for-hundreds-of-thousands-of-servers 3

Why is Forward Secrecy important? Using typical HTTPS implementations based on RSA, an adversary could record encrypted data and decrypt it later if they gain access to the relevant private key(s) Using Forward Secrecy this approach is impossible http://blogs.computerworld.com/encryption/22366/can-nsa-see-through-encrypted-web-pages-maybe-so 4

Review of SSL/TLS FUNCTION Authentication Key Exchange/Agreement Encryption Algorithm Hashing Algorithm Examples RSA DSA RSA Diffie-Hellman RC4 AES MD5 SHA-1 5

RSA is the problem Ron Rivest, Adi Shamir, and Len Adleman released the Rivest- Shamir-Adleman (RSA) public key algorithm in 1978. This algorithm can be used for encrypting and signing data. The encryption and signing processes are performed through a series of modular multiplications. 6

SSL Handshake Process RSA Browser requests web server identity Client Hello Challenge string Server Supported sends cipher a copy suites of its SSL certificate Server Hello Certificate (includes public key) Browser Confirmed checks cipher the suite SSL certificate and sends encrypted session key Master Key Encrypted with server public key Server sends an acknowledgement Server Verify Encrypted challenge string Encrypted Data SYMANTEC VISION 2014 7

RSA key exchange During the SSL handshake, the client receives the server s certificate This includes the server s public key Using RSA, the HTTPS session key is encrypted by the client using the server s public key and sent to the server across the network The server decrypts the session key using the corresponding private key RSA is vulnerable if the private key is discovered 8

Diffie-Hellman is the Solution The Diffie-Hellman algorithm was invented in 1976 by Whitfield Diffie and Martin Hellman (US patent 4,200,770). The Diffie-Hellman algorithm is not for encryption or decryption but it enables two parties who are involved in communication to generate a shared secret key for exchanging information confidentially. They can do this even when an eavesdropper listens in on their entire conversation. Whitfield 'Whit' Diffie Martin Hellman 9

SSL Handshake Process Diffie-Hellman Browser requests web server identity Client Hello Challenge string Server Supported sends cipher a copy suites of its SSL certificate Server Hello Certificate Browser Confirmed checks cipher the suite SSL certificate and Server key sends info confirmation Key Agreement Client key info Server sends an acknowledgement Server Verify Encrypted challenge string Encrypted Data SYMANTEC VISION 2014 10

Diffie-Hellman key agreement Using Diffie-Hellman key agreement, client and server agree a session key without ever sending the key across the network Diffie-Hellman can be used to enable Forward Secrecy 11

What is Perfect Forward Secrecy? Forward Secrecy uses Diffie-Hellman to generate a key for each session Perfect Forward Secrecy enhances Forward Secrecy by continuously changing the key material during each session generating a new key for each message of a conversation 12

Where is Forward Secrecy Implemented? As of January 2014, 5% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to web browsers* * SSL Pulse (January 03, 2014) 13

Are You Using Forward Secrecy? Let s See 14

Are You Using Forward Secrecy? 15

Implementing Forward Secrecy Or can you? http://www.theregister.co.uk/2013/06/26/ssl_forward_secrecy/ 16

How do you implement Forward Secrecy? Diffie-Hellman Key Exchange (DHE) has a significant CPU overhead compared to RSA Elliptic Curve Diffie- Hellman (ECDHE) has minimal CPU overhead compared to RSA Source: Bernat 17

Elliptic Curve Cryptography Overview ECC 1 Stronger Encryption 2 Efficient Performance 3 Highly Scalable 4 Future of Crypto Tech Shorter key than RSA 256-bit ECC = 3072-bit RSA 10k times harder to crack than RSA 2048 Meets NIST recommendations Efficiency increases with higher server loads Utilizes less server CPU PC s: Faster page load time Ideal for mobile devices Large SSL deployments w/out additional hardware Securing the enterprise: Use fewer resources Lower costs Viable for many years Built for Internet of Things Supports billions of new devices coming online Ideal for Open Networks Truly future proof trust infrastructure in place 18

Implementing Forward Secrecy Source: Huang, Adhikarla, Boneh, Jackson 19

Implementing Forward Secrecy Source: Huang, Adhikarla, Boneh, Jackson 20

Implementing Forward Secrecy Use Diffie-Hellman key agreement for Forward Secrecy Use Elliptic Curve Cryptography for Performance ECC 21

Technical Overview What is the RSA Algorithm? What is Diffie-Hellman? What is Elliptic Curve Cryptography (ECC)? 23

RSA key exchange During the SSL handshake, the client receives the server s certificate This includes the server s public key Using RSA, the HTTPS session key is encrypted by the client using the server s public key and sent to the server across the network The server decrypts the session key using the corresponding private key RSA is vulnerable if the private key is discovered 24

RSA Encryption & Decryption Example Public key: n=33 e=3 Formula: y=x e mod n Encryption using public key Plaintext Binary plaintext we attack at dawn 01010010010010110100 Groups of 5 bits Decimal plaintext (x) x 3 Decimal ciphertext y = x 3 mod 33 01010 01001 00101 10100 10 9 5 20 1000 729 125 8000 10 3 26 14 Binary ciphertext 01010000111101001110 Ciphertext org^zplvnwk>?@qd 25

RSA Encryption & Decryption Example Decryption using private key Ciphertext Private key: n=33 d=7 Formula: x=y d mod n org^zplvnwk>?@qd Binary ciphertext 01010000111101001110 Decimal ciphertext y y 7 Decimal plaintext x = y 7 mod 33 Groups of 5 bits 10 3 26 14 10 7 2187 26 7 14 7 10 9 5 20 01010 01001 00101 10100 Binary plaintext 01010010010010110100 Plaintext we attack at dawn 26

RSA Encryption & Decryption Exercise Choose a number 1 < x < 33 Encrypt x with RSA using the public key n=33, e=13 Decrypt the encrypted number using the private key n=33, d=17 Check if the decrypted number equals the original number Encryption Decryption y=x e mod n x=y d mod n Modular Arithmetic (MOD Operation) Modular arithmetic is related to that of the remainder in division. The operation of finding the remainder is sometimes referred to as the modulo operation, for example 14 (mod 12) = 2. 27

Why is RSA Secure? e p x q = n Large prime numbers Public Key Private Key d = Function of p q e Hard Problem: To calculate d from n & e, you must find the prime factors of n What are the prime factors of 6499? What is 67 x 97? 28

How secure is RSA? Asymmetric Key Length Key Space Equivalent Symmetric Key Length 768 bits 10 232 66 bits 1024 bits 10 308 80 bits 2048 bits 10 616 112 bits 3072 bits 10 924 128 bits 29

Diffie-Hellman key agreement Using Diffie-Hellman key agreement, client and server agree a session key without ever sending the key across the network Diffie-Hellman can be used to enable Forward Secrecy 30

Diffie-Hellman Key Exchange Algorithm Example Formula y = g x mod n Public Parameters Prime modulus: n=31 Primitive element: g=3 A Random value a=8 A = g a mod n = 3 8 mod 31 = 20 Random value b=6 B = g b mod n = 3 6 mod 31 = 16 B B=16 A=20 S = B a mod n = 16 8 mod 31 = 4 Shared Secret Key (S) is the same g ab mod n = g ba mod n S = A b mod n = 20 6 mod 31 = 4 31

Diffie-Hellman Key Exchange Exercise Choose a number 1 < x < 20 Encrypt x with Diffie-Hellman using the public parameters n=31, g=3 Exchange the encrypted number y with your neighbour Calculate the shared key (S) using your neighbour s encrypted number (y) and your number (x) Check with your neighbour if your values for S are the same Encryption Shared Key y=g x mod n S=y x mod n Modular Arithmetic (MOD Operation) Modular arithmetic is related to that of the remainder in division. The operation of finding the remainder is sometimes referred to as the modulo operation, for example 14 (mod 12) = 2. 32

TLS 1.2 Key Exchange Mechanisms RFC 5246 Mechanism Method Server public key RSA RSA RSA RSA DH_RSA Diffie-Hellman Diffie-Hellman RSA DH_DSS Diffie-Hellman Diffie-Hellman DSA DHE_RSA Ephemeral Diffie-Hellman RSA Any DHE_DSS Ephemeral Diffie-Hellman DSA Any Certificate signature DH_anon Diffie-Hellman None None Forward Secrecy 33

Elliptic Curves An elliptic curve is a plane curve defined by an equation of the form: y 2 x 3 ax b Examples: 34

Elliptic Curve Cryptography (ECC) Adding 2 points on a curve produces another point on the curve Adding a point to itself produces another point on the curve If we add a point P to itself d times we end up with Q, another point on the curve Digital Privacy: AOSSL & PFS SYMANTEC VISION 2014 35

Elliptic Curve Cryptography (ECC) Elliptic curves can be used to construct a public key cryptography system The private key d is randomly selected from [1,n-1], where n is integer Then the public key Q is computed by dp, where P,Q are points on the elliptic curve Like the conventional cryptosystems, once the key pair (d, Q) is generated, a variety of cryptosystems such as signature, encryption/decryption and key management can be set up 36

Recommended Key Sizes Symmetric Key Size (bits) RSA and Diffie- Hellman Key Size (bits) Elliptic Curve Key Size (bits) 80 1024 160 112 2048 224 128 3072 256 192 7680 384 256 15360 521 http://www.nsa.gov/business/programs/elliptic_curve.shtml 37

Elliptic Curve Diffie-Hellman Example Alice and Bob make a key agreement over the following prime, curve, and point: p=3851, E:y 2 =x 3 +324x+1287, P=(920,303) E(F 3851 ) Alice chooses the private key d A =1194, computes Q A =1194P=(2067,2178) E(F 3851 ), and sends it to Bob Bob chooses the private key d B =1759, computes Q B =1759P=(3684,3125) E(F 3851 ), and sends it to Alice Alice computes d A Q B =1194(3684,3125)=(3347,1242) E(F 3851 ) Bob computes d B Q A =1759(2067,2178)=(3347,1242) E(F 3851 ) 38

ECC Key Exchange Mechanisms RFC 4492 Mechanism Method Server public key Certificate signature ECDH_RSA ECDH_ECDSA ECDHE_RSA ECDHE_ECDSA ECDH_anon Elliptic Curve Diffie- Hellman Elliptic Curve Diffie- Hellman Ephemeral Elliptic Curve Diffie-Hellman Ephemeral Elliptic Curve Diffie-Hellman Ephemeral Elliptic Curve Diffie-Hellman Elliptic Curve Diffie-Hellman Elliptic Curve Diffie-Hellman RSA ECDSA None RSA ECDSA Any Any None Forward Secrecy ECC Certificate 39

ECC Certificate Example Key Exchange Using ECDHE_ECDSA 40

Summary Implementing Forward Secrecy Put ECDHE and DHE methods at top of server priority list Install ECDSA certificates Mechanism Method Certificate Performance DHE_RSA Ephemeral Diffie-Hellman RSA DHE_DSS Ephemeral Diffie-Hellman DSA ECDHE_RSA ECDHE_ECDSA Ephemeral Elliptic Curve Diffie-Hellman Ephemeral Elliptic Curve Diffie-Hellman RSA ECDSA * * ** *** 41

Use Symantec ECC Certificates to enable Forward Secrecy An ECC certificate is included at no additional cost with all Symantec Premium SSL certificates Symantec s ECC certificate roots have been in place for over five years: You can be confident that your ECC certificate will work throughout your ecosystem 42

Useful References Diffie Hellman Key Agreement Method http://tools.ietf.org/html/rfc2631 RSA: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" Communications of the ACM 21 (2): 120 126 http://people.csail.mit.edu/rivest/rsapaper.pdf RFC4492 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) http://tools.ietf.org/html/rfc4492 FIPS 186-2 Digital Signature Standard (DSS) http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf 43

Useful Links Forward Secrecy at Twitter: https://blog.twitter.com/2013/forward-secrecy-at-twitter SSL Labs: Deploying Forward Secrecy: https://community.qualys.com/blogs/securitylabs/2013/06/25/ ssl-labs-deploying-forward-secrecy Symantec DSA / ECC FAQ: https://knowledge.verisign.com/support/ssl-certificatessupport/index?page=content&id=so21715&actp=search&viewl ocale=en_us&searchid=1392807268836 A (relatively easy to understand) primer on elliptic curve cryptography: http://arstechnica.com/security/2013/10/arelatively-easy-to-understand-primer-on-elliptic-curvecryptography/ 44

A Final Note. Public key cryptography was first discovered by American geeks. Right? Wrong. The Open Secret: http://www.wired.com/wired/archive/7.04/c rypto_pr.html The Alternative History of Public-Key Cryptography: http://cryptome.org/ukpk-alt.htm Clifford Cocks & James Ellis: http://en.wikipedia.org/wiki/clifford_cocks http://en.wikipedia.org/wiki/james_h._ellis 45

Thank you! YOUR FEEDBACK IS VALUABLE TO US! Please take a few minutes to fill out the short session survey available on the mobile app the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference. To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the itunes or Android stores. 46

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information