TlS SECURITY aspects. RTR Workshop A-sit Plus GMBH dr. Peter Teufl

Similar documents
Communication Security for Applications

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Web Security Considerations

Secure Sockets Layer

Information Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Communication Systems SSL

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

SSL Secure Socket Layer

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Lecture 7: Transport Level Security SSL/TLS. Course Admin

TLS/SSL in distributed systems. Eugen Babinciuc

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Overview. SSL Cryptography Overview CHAPTER 1

Authenticity of Public Keys

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Savitribai Phule Pune University

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

Security Protocols/Standards

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

SECURE SOCKETS LAYER (SSL)

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

CSC Network Security

CSC 474 Information Systems Security

SSL Secure Socket Layer

SSL/TLS: The Ugly Truth

Practical Invalid Curve Attacks on TLS-ECDH

IT Networks & Security CERT Luncheon Series: Cryptography

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Lab 7. Answer. Figure 1

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Chapter 7 Transport-Level Security

Is Your SSL Website and Mobile App Really Secure?

Chapter 17. Transport-Level Security

Secure Socket Layer. Security Threat Classifications

, ) I Transport Layer Security

SSL BEST PRACTICES OVERVIEW

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

SSL A discussion of the Secure Socket Layer

MatrixSSL Developer's Guide Version 3.7

WIRELESS LAN SECURITY FUNDAMENTALS

Lecture 4: Transport Layer Security (secure Socket Layer)

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

Computer and Network Security

Implementation and Evaluation of Datagram Transport Layer Security (DTLS) for the Android Operating System DANIELE TRABALZA

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

SSL: Secure Socket Layer

Using etoken for SSL Web Authentication. SSL V3.0 Overview

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Managing SSL certificates in the ServerView Suite

Learning Network Security with SSL The OpenSSL Way

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Protocol Rollback and Network Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Protocols

Some solutions commonly used in order to guarantee a certain level of safety and security are:

SSL Server Rating Guide

Secure Socket Layer (TLS) Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Transport Level Security

Transport Layer Security (TLS)

GNUTLS. a Transport Layer Security Library This is a Draft document Applies to GnuTLS by Nikos Mavroyanopoulos

Network Security Essentials Chapter 5

Programming with cryptography

Certificates and network security

The Beautiful Features of SSL And Why You Want to Use Them?

CRYPTOGRAPHY AS A SERVICE

Bit Chat: A Peer-to-Peer Instant Messenger

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Computer Security: Principles and Practice

ISA 562 Information System Security

National Security Agency Perspective on Key Management

Cryptography and Network Security IPSEC

IPsec Details 1 / 43. IPsec Details

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Introduction to Cryptography

Web Security. Mahalingam Ramkumar

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Secure network protocols: how SSL/TLS, SSH, SFTP and FTPS work

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Authentication requirement Authentication function MAC Hash function Security of

Institute of Computer Technology - Vienna University of Technology. L96 - SSL, PGP, Kerberos

An Introduction to Cryptography as Applied to the Smart Grid

The Secure Sockets Layer (SSL)

Low-Level TLS Hacking

Transcription:

TlS SECURITY aspects RTR Workshop 05.11.2015 A-sit Plus GMBH dr. Peter Teufl

Crypto crash course Asymmetric cryptography: encryption, decryption This key is really private, only the owner should have it! Private Key This key is really public, everyone can and should have it! Example for RSA Encrypt (everybody!) Decrypt (only key owner!) To be precise Plain data Encrypted Data Plain data Data is typically not encrypted/decrypted with the asymmetric keys Symmetric keys are used for that Only the symmetric keys are encrypted/decrypted with the asymmetric ones (due to performance, security (block mode))

Crypto crash course Asymmetric cryptography: signing, verification Private Key Everybody must be able to do that! Verify (decrypt) (everybody!) Sign (encrypt) (only key owner!) Example for RSA Plain data Signed Hash Plain data Calc Hash (e.g. SHA-256) Calc Hash (e.g. SHA-256) Hash Hash To be precise: Hash Signed Hash Compare Not the complete data is signed verified (same issues as with encryption) BUT, a short hash (e.g. 256 bit) is calculated and that is signed/verified Compare with thoughts on encryption in previous slide

Asymmetric cryptography: key agreement (for en/decryption) We need Trust though! (TLS handshake later ) User 1 (e.g. web browser) Private Key Exchange public keys (everyone can have them) User 2 (e.g. web server) Private Key agree on symmetric key with user 1 private key and user 2 public key Private Key Private Key ECDH/DH symmetric key agree on symmetric key with user 1 private key and user 2 public key Private Key Private Key ECDH/DH Crypto Crash Course symmetric key the same symmetric key is generated (only user 1/2 can generate those keys) use for encryption/decryption

PRIVATE (securely stored on web server) Private Key Host PUBLIC X509 Certificate of Host PRIVATE (securely stored by CA) Private Key CA PUBLIC X509 Certificate of Certificate Authority Crypto Crash Course X509 Certificates Issuer: super secure TLS CA Subject: secure.example.com Cert hash Signature Issuer: self issued Subject: super secure TLS CA Cert hash Signature (self signed) Get host certificate during TLS hand shake (1) verify host name https://secure.example.com Certificate of secure.example.com Signature Trust Store Browser/Operating System (2) verify signature Certificate of super secure TLS CA Web Browser

Topics Crypto Crash Course TLS details Handshake and how to achieve confidentiality, integrity, authenticity Client TLS Cipher suites, Perfect Forward Secrecy HSTS, Certificate Pinning Attacks Trust Heartbleed SSLStrip Flame

Transport Layer Security (TLS) Perfect overview on WikiPedia (history, browser support etc.) http://en.wikipedia.org/wiki/transport_layer_security ECC cipher suites: http://tools.ietf.org/html/rfc4492 (ECDH, ECDHE example) TLS 1.2: http://www.ietf.org/rfc/rfc5246.txt (RSA example) Key protocol for secure communication HTTPS, VPNs, for any secure communication Initial development by Netscape in the 90s. First public release SSL 2.0 in 1995 (critical sec flaws!)

Transport Layer Security (TLS) SSL 3.0 in 1996, RFC 6101 TLS 1.0 in 1999, RFC 2246 No significant changes when compared to SSL 3.0 downgrade option to SSL 3.0 TLS 1.1 in 2006, RFC 4346 Security fixes TLS 1.2 in 2008, RFC 5246, old cipher suites removed, bugfixes TLS 1.3, Draft, April 2015 (drop insecure/problematic features)

TLS - Protocol - Basic Steps Certificate of server. Standard HTTPS scenario Certificate from client Client TLS/SSL Certain cipher suites Certificate required from client source: http://tools.ietf.org/html/rfc5246

ClientHello (Client) TLS version Random number List of suggested cipher suites Compression methods Session ID if resumed

ClientHello - CipherSuites CipherSuites

ClientHello - CipherSuites Structure [SSL TLS], [key exchange], [authentication], [bulk cipher], [message auth] Examples TLS_RSA_WITH_AES_128_CBC_SHA (TLS, RSA, RSA, AES 128 CBC, SHA) TLS_ECDHE_RSA_WITH_RC4_128_SHA (TLS, ECDHE, RSA, RC4 128, SHA) Many possible cryptographic protocols for key exchange, encryption, authentication, message integrity

ServerHello (Server)

ServerHello (Server) Chosen TLS version Random number Selected cipher suite Selected compression method

Certificate (Server)

Certificate (Server)

ServerKeyExchange (Server)

ServerKeyExchange (Server)

CertificateRequest (Server) Missing... Most HTTPS servers do not require a client certificate

ServerHelloDone (Server) Tells the client that ServerHello and associated messages have been sent

TLS - ServerHelloDone

Certificate (Client) Missing... No certificate was requested by the server

ClientKeyExchange (Client)

ClientKeyExchange (Client)

ChangeCipherSpec (Client)

ChangeCipherSpec (Client) From client ChangeCipherSpec: telling the server that everything is encrypted from now

Finished (Client)

Finished (Client) Finished: sending hash, MAC of previous handshake messages (encrypted) server decrypts message, verifies hashes

Application Data (Client, Server)

TLS - Encrypted Application Data Encrypted HTTP traffic

Topics Crypto Crash Course TLS details Handshake and how to achieve confidentiality, integrity, authenticity Client TLS Cipher suites, Perfect Forward Secrecy HSTS, Certificate Pinning Attacks Trust Heartbleed SSLStrip Flame

Topics Crypto Crash Course TLS details Handshake and how to achieve confidentiality, integrity, authenticity Client TLS Cipher suites, Perfect Forward Secrecy HSTS, Certificate Pinning Attacks Trust Heartbleed SSLStrip Flame

Cipher suites key exchange, agreement: RSA, DH, DHE, ECDH, ECDHE How to exchange the bulk encryption key? (req for confidentiality, integrity) authentication: RSA, DSS, ECDSA How to verify whether the server is authentic? (authenticity) bulk ciphers: AES, 3DES, RC4 How to encrypt data? (confidentiality) message authentication: SHA{256, 384}, MD5 (!) How to verify the integrity of the transmitted data? (integrity) perfect forward secrecy: Depends on deployed key exchange/agreement algorithm

Cipher Suites Structure [SSL TLS], [key exchange], [authentication], [bulk cipher], [message auth] Examples TLS_RSA_WITH_AES_128_CBC_SHA (TLS, RSA, RSA, AES 128 CBC, SHA) TLS_ECDHE_RSA_WITH_RC4_128_SHA (TLS, ECDHE, RSA, RC4 128, SHA) Many possible cryptographic protocols for key exchange, encryption, authentication, message integrity

Cipher Suites

Perfect Forward Secrecy Perfect Forward Secrecy (PFS) Popped up again due to NSA topic Even if an attacker gains access to the long term keys e.g. RSA keys used for the X509 certificates the session keys used for bulk encryption cannot be derived http://crypto.stackexchange.com/questions/8933/how-can-i-use-ssl-tlswith-perfect-forward-secrecy

NO PFS EXAMPLE (simplified TLS handshake) Client want to establish secure communication Server Certificate send certificate Certificate Private Key Verify Cert Certificate Certificate Private Key generate random key THE PROBLEM AES KEY encrypt AES key Certificate send wrapped AES key Private Key Certificate decrypt AES key AES KEY Wrapped AES KEY Wrapped AES KEY AES KEY Certificate Certificate protected data Private Key AES KEY encrypt decrypt encrypt decrypt AES KEY

NO PFS EXAMPLE Wrapped AES KEY Server Client Server Certificate protected data Private Key 12.03.2012 capture and store data Wrapped AES KEY Client Server protected data Wrapped AES KEY 10.10.2013 capture and store data Client protected data Server 01.01.2014 capture and store data

NO PFS EXAMPLE Wrapped AES KEY Server Client Server Certificate protected data Private Key 12.03.2012 capture and store data Wrapped AES KEY 10.04.2015 gain access to private key Client protected data Server decrypt keys and data Wrapped AES KEY 10.10.2013 capture and store data Client protected data Server 01.01.2014 capture and store data

NO PFS EXAMPLE TLS_RSA_WITH_AES_128_CBC_SHA which actually means: TLS_RSA_RSA_WITH_AES_128_CBC_SHA key exchange via RSA (gaining a bulk encryption key, here AES) authentication via RSA (server proofs its authenticity) bulk cipher: AES_128_CBC message authentication: SHA based MAC

PFS EXAMPLE ECDHE_RSA_WITH_AES_128_GCM_SHA ECDH_RSA_WITH_AES_128_GCM_SHA which actually means Key exchange: ECDHE - Elliptic Curve Diffie Hellman Key Exchange, Ephemeral Authentication: RSA Bulk cipher: AES_128_GCM Message authentication: SHA based MAC RSA and elliptic curves?

PFS EXAMPLE ECDHE: Elliptic Curve Diffie Hellman - Ephemeral (PFS)

PFS EXAMPLE ClientHello, ServerHello messages may include curve parameters for ECC use Certificate: sends certificate to client

PFS EXAMPLE ECDHE Elliptic Curve Diffie Hellman - Ephemeral ServerKeyExchange needed! Server generates ephemeral key pair Sends signed public key and parameters to the client Signed with private key of server certificate Could be RSA or ECDSA etc. depending on the certificate

PFS EXAMPLE ClientKeyExchange! For ECDHE and ECHD, client always generates ephemeral key pair Parameters, keys are sent to server via ClientKeyExchange Message Client, Server can calculate common secret via ECDH

ECDHE_RSA/ECDSA Certificate Certificate certificate Certificate Private Key Fix fixed key pair from certificate SIGN Certificate parameters ephemeral key pair Parameters Private Key generating ephemeral keys Parameters Private Key Eph parameters and key ephemeral key pair Certificate Private Key fix ServerKeyExchange Certificate Parameters Parameters Parameters Certificate Private Key signed! Private Key Eph Private Key fix VERIFY Parameters ClientKeyExchange Parameters Certificate Certificate Parameters Parameters Private Key Private Key Eph Private Key fix Private Key Key Derivation Private Key Eph bulk data encryption key derivation shared key shared key key derivation Private Key delete ephemeral keys Private Key Eph

PFS EXAMPLE Certificate Client E1 E1 Server Certificate Private Key fix Certificate E2 Client E2 YANSA - Yet Another National Security Agency shared key cannot be derived ephemeral private keys are missing

Topics Crypto Crash Course TLS details Handshake and how to achieve confidentiality, integrity, authenticity Client TLS Cipher suites, Perfect Forward Secrecy HSTS, Certificate Pinning Attacks Trust Heartbleed SSLStrip Flame

HSTS - HTTP Strict Transport Security Attacks are often based on HTTPS to HTTP downgrades Web page offers HTTPS/HTTP, attacker injects HTTP links to force user to user weak HTTP communication Web page offers HTTPS only attacker uses a proxy (SSLSSTRIP) to move user to HTTP communications. How to deal with that?

HSTS - HTTP Strict Transport Security Tell the browser that all connections to a domain/host are HTTPS only From now on the browser does not accept HTTP communication to that site How? via an HTTP header Strict-Transport-Security: max-age=31536000; includesubdomains; header can only be set during a valid HTTPS request, headers in HTTP only communication are ignored http://tools.ietf.org/html/rfc6797 that s it? is everything secure now?

Certificate Pinning dns entry PKI trust many CAs in trust store subject in certificate TLS trust based on: (referring to crypto crash course) (1) certificate issued by a trusted CA (2) compare DNS host name with host name in CN of certificate what happens if:

Certificate Pinning Introduce certificate pinning (http://www.rfc-editor.org/rfc/rfc7469.txt) remember hash values (pins) of public keys associated with X509 certificates of TLS servers if PIN changes (meaning that the certificate changes), drop connection even if certificate would be trustworthy and DNS name matches with subject CN certificate pins are either stored in browser (or app) or submitted (like HSTS) via HTTP headers during the first connection (same issues as with HSTS, first connection must be secure)

certificate pinning Getting necessary to avoid MITM attacks to deal with the problem of many trusted CAs in the browser that have different quality levels Many more details for different operating systems https://www.owasp.org/index.php/ Certificate_and_Public_Key_Pinning

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information