CSCI-UA.9480 Introduction to Computer Security Session 1.4 - - PowerPoint PPT Presentation

csci ua 9480 introduction to computer security
SMART_READER_LITE
LIVE PREVIEW

CSCI-UA.9480 Introduction to Computer Security Session 1.4 - - PowerPoint PPT Presentation

Dec 30, 2022 490 likes •861 views

CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim Kobeissi 1.4a HTTPS and TLS 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi What is TLS? The S in HTTP S . Most likely

slide-1
SLIDE 1

CSCI-UA.9480 Introduction to Computer Security

Session 1.4

Transport Layer Security

  • Prof. Nadim Kobeissi
slide-2
SLIDE 2

HTTPS and TLS

2 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

1.4a

slide-3
SLIDE 3

What is TLS?

  • The S in HTTPS.
  • Most likely the most relevant web
encryption protocol.
  • Built on all the technologies we’ve seen so
far: ○ Public key cryptography. ○ Symmetric encryption. ○ Hashing. 3 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-4
SLIDE 4

HTTPS Pages by Country (Chrome)

4 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Source: https://transparencyreport.google.com/https/
slide-5
SLIDE 5

HTTPS Pages by Platform (Chrome)

5 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Source: https://transparencyreport.google.com/https/
slide-6
SLIDE 6

HTTPS Pages by Google Service

6 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Source: https://transparencyreport.google.com/https/
slide-7
SLIDE 7

HTTPS Pages by Country (Firefox)

7 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Source: https://letsencrypt.org/stats/
slide-8
SLIDE 8

SSL 1.0 was never released due to critical security flaws. SSL 2.0 barely lasted one year before being replaced.

8 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

Did you know?

slide-9
SLIDE 9

History of TLS

  • SSL (Secure Socket Layer) 1.0 was never
  • released. SSL 2.0 lasted a year. SSL 3.0
released in 1996.
  • TLS 1.0 released in 1999.
  • TLS 1.1 released in 2006.
  • TLS 1.2 released in 2008.
  • TLS 1.3 released in 2018.
9 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-10
SLIDE 10

As discussed last time: protocols.

In protocols, we reason about:
  • Principals: Alice, Bob.
  • Security goals: confidentiality, authenticity,
forward secrecy…
  • Use cases and constraints.
  • Attacker model.
  • Threat model.
10 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-11
SLIDE 11

Protocols need to do things.

Protocols are frequently entrusted with:
  • Communicating secret data without a
malicious party being able to read it: confidentiality.
  • Ensuring that any data Bob receives that
appears to be from Alice is indeed from Alice: authenticity.
  • Limiting the damage that can be caused by
device compromise or theft: post- compromise security. 11 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-12
SLIDE 12

Protocols need to do things.

Protocols have building blocks:
  • Public key agreement: Client and server
agree on some shared secret key over an insecure channel.
  • Symmetric encryption: Encrypting and
decrypting data with a shared secret key.
  • Hashing and signatures: Providing integrity
and authenticity of communicated data. 12 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-13
SLIDE 13

TLS is a secure channel protocol.

  • Authenticated key exchange phase:
Exchange public keys, establish shared secrets and start a session.
  • Application data/messaging stage: Send
encrypted, authenticated data (websites, messages, files, videos…) 13 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-14
SLIDE 14

TLS is a secure channel protocol.

  • Client’s local state: server certificate,
accepted cipher configurations, ephemeral public key pair, pre-shared secret for session resumption…
  • Server’s local state: long-term keys,
accepted cipher configurations, pre-shared secret for session resumption… 14 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-15
SLIDE 15

Cipher suites?

  • Set of supported cryptographic primitives by
the client and server.
  • What if the server advertises a bad cipher
suite? ○ FREAK, POODLE, LOGJAM… 15 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi AES SHA2 RSA SHA2 RC4 RSA Client Server
slide-16
SLIDE 16

Evaluating HTTPS overall security.

16 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-17
SLIDE 17

NYU.edu: Supported protocols.

17 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-18
SLIDE 18

NYU.edu: Supported cipher suites.

18 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-19
SLIDE 19

NYU.edu: Supported devices.

19 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-20
SLIDE 20

TLS 1.2 and TLS 1.3: How Protocols Evolve

20 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi TLS 1.2 TLS 1.3
slide-21
SLIDE 21

TLS 1.2 and TLS 1.3: How Protocols Evolve

21 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Supported protocol and cipher suites Authenticated Key Exchange Verify handshake log Application data stage 0 Round Trip Messaging! (0-RTT) TLS 1.2 TLS 1.3
slide-22
SLIDE 22

TLS 1.3: A Simpler Overview

  • By employing the primitives introduced in
earlier sessions, we obtain all of our security guarantees. 22 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-23
SLIDE 23

Public Key Infrastructure

23 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

1.4b

slide-24
SLIDE 24

Why do certificates matter?

  • Certificates authenticate a set of claims that
a server is making about its authority and
  • wnership over some website.
24 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-25
SLIDE 25

Why do certificates matter?

  • Certificates authenticate a set of claims that
a server is making about its authority and
  • wnership over some website.
○ Long-term public keys (identity keys.) ○ Entity operating the website.
  • But who vouches for these claims?
Certificate authorities.
  • Public signing keys of certificate authorities
shipped hardcoded into consumer devices. 25 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-26
SLIDE 26

Certificate Authorities: a complete mess.

Certificate authorities are a scam that benefits nobody.
  • They contribute almost nothing to online
security, cost a lot of money, are a barrier to deploying secure websites.
  • If one of them gets compromised, the entire
Web’s endpoint authentication is put at risk. 26 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-27
SLIDE 27

Certificate Authorities: a complete mess.

27 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-28
SLIDE 28

Let’s Encrypt: a new hope?

  • Free certificates.
  • Automated certificate issuance protocol
(ACME) – the first of its kind! ○ Formally verified recently.
  • Free secure websites for everyone.
28 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-29
SLIDE 29

Let’s Encrypt Growth

29 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Source: https://letsencrypt.org/stats/
slide-30
SLIDE 30

Certificate Authority Market Share

30 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Source: https://w3techs.com/technologies/history_overview/ssl_certificate
slide-31
SLIDE 31

Attacks on TLS

31 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

1.4c

slide-32
SLIDE 32

Attacks on TLS: SMACK and FREAK

  • SMACK: Can’t get past key exchange or
authentication? Just skip the messages!
  • FREAK: In the 1990s, NSA mandated weak
cipher suites for HTTPS so that foreign and civilian communications could be decrypted. ○ Thanks to insecure state transition logic, we can force these cipher suites to be used even in 2015. ○ Expanded with Logjam. 32 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-33
SLIDE 33

Attacks on TLS: Sloth

  • RSA-MD5 couples the public key primitive
RSA with the outdated hash function MD5, which can now have pre-images obtained with 239 calculations.
  • By obtaining targeted pre-images, client
authentication can be broken. Many more attacks on TLS exist: Sweet32, Triple Handshake… 33 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-34
SLIDE 34

“SLOTH is also a not-so-subtle reference to laziness in the protocol design community with regard to removing legacy cryptographic constructions.” – SLOTH paper authors.

34 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-35
SLIDE 35

Next time: Usability and Secure Messaging.

35 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

1.5