overview of tls v1 3
play

Overview of TLS v1.3 Whats new, whats removed and whats changed? - PowerPoint PPT Presentation

Mar 11, 2024 •148 likes •773 views

Overview of TLS v1.3 Whats new, whats removed and whats changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a mathematician!

  1. Overview of TLS v1.3 What’s new, what’s removed and what’s changed?

  2. About Me • Andy Brodie – Worldpay Principal Design Engineer. – Based in Cambridge, UK. – andy.brodie@owasp.org • Neither a cryptographer nor a mathematician! – This means no maths in this presentation.

  3. Agenda • History & Background. • What’s Been Removed. • What’s New & Changed. – Cipher Suites. – Handshake Changes. – Hashed-Key Derivation Function. – Session Resumption. • Summary. 3

  4. The Goals and Basics of TLS HISTORY & BACKGROUND 4

  5. How SSL became TLS When Who What Comments 1994 Netscape SSL 1.0 designed. Never published as security flaws were found internally. 1995 Netscape SSL v2.0 published. Flaws found pretty quickly, which led to… 1996 Netscape SSL v3.0 published. SSL becomes ubiquitous. 1999 IETF TLS v1.0 published (SSL v3.1) Incremental fixes, political name change and IETF ownership. 2006 IETF TLS v1.1 published (SSL v3.2) Incremental fixes and capabilities. 2008 IETF TLS v1.2 published (SSL v3.3) What we should all be using! 2014 IETF TLS v1.3 draft 1 (SSL v3.4) 2018 IETF TLS v1.3 draft 23 Expires July 15 5

  6. Stop to consider the awesomeness! A Client and Server can have a secure conversation over an insecure medium having never met before.

  7. What is a secure conversation? • Privacy – Conversation must be encrypted. – Prevent eavesdropping attacks. • Integrity – Client & Server must be able to detect message tampering. – Prevent Man In The Middle (MITM) attacks. • Authentication – Client needs to trust they’re talking to the intended server. – Prevent impersonation attacks.

  8. TLS achieves this using various techniques… • Privacy – Symmetric key encryption for application data. – Typically Advanced Encryption Standard (AES). • Integrity – Authenticated Encryption with Additional Data (AEAD). – Usually AES-GCM (Galois/Counter Mode) cipher mode. • Authentication – X509 certificates signed by a mutually trusted third party. – Typically server authenticated only.

  9. Flow of messages in a TLS conversation Open Socket Handshake Application Data Alert Close Socket 9

  10. Flow of messages in a TLS conversation • Handshake – Agree a cipher suite. Open Socket – Agree a master secret. – Authentication using certificate(s). Handshake • Application Data – Symmetric key encryption. Application Data – AEAD cipher modes. – Typically HTTP. Alert • Alerts – Graceful closure, or Close Socket – Problem detected. 10

  11. https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html TLS V1.3

  12. Key Goals of TLS v1.3 • Key Goals of TLS v1.3: – Clean up - Remove unsafe or unused features. – Security - Improve security w/modern techniques. – Privacy - Encrypt more of the protocol. – Performance – 1-RTT and 0-RTT handshakes. – Continuity – Backwards compatibility. 12

  13. WHAT’S REMOVED IN TLS V1.3? 13

  14. What’s removed in TLS v1.3 Key Exchange • – RSA Encryption algorithms: • – RC4, 3DES, Camellia. Cryptographic Hash algorithms: • – MD5, SHA-1. Cipher Modes: • – AES-CBC. Other features: • – TLS Compression & Session Renegotiation. – DSA Signatures (ECDSA ≥ 224 bit). – ChangeCipherSpec message type & “Export” strength ciphers. – Arbitrary/Custom (EC)DHE groups and curves. 14

  15. This has mitigated quite a few attacks… RC4 3DES • Roos’s Bias 1995 • Sweet32 • Fluhrer, Martin & Shamir 2001 • Klein 2005 AES-CBC • Combinatorial Problem 2001 • Vaudenay 2002 • Royal Holloway 2013 • Boneh/Brumley 2003 • Bar-mitzvah 2015 • BEAST 2011 • NOMORE 2015 • Lucky13 2013 • POODLE 2014 RSA-PKCS#1 v1.5 Encryption • Lucky Microseconds 2015 • Bleichenbacher 1998 • Jager 2015 Compression • DROWN 2016 • CRIME 2012 Renegotiation MD5 & SHA1 Marsh Ray Attack 2009 • Renegotiation DoS 2011 • • SLOTH 2016 Triple Handshake 2014 • • SHAttered 2017 15

  16. WHAT’S NEW AND CHANGED? 16

  17. What’s New and Changed? • Cipher Suites. • Handshake. • Hashed-Key Derivation Function (HKDF). • Key Schedule. • Sessions. 17

  18. CIPHER SUITES

  19. TLS v1.2 provides 37 Cipher Suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Protocol Authentication AEAD Cipher Mode Key Exchange PRF Hash Algorithm • TLS 1.2 specifies 37 cipher suites. – Add previous versions in: 319 cipher suites.

  20. TLS 1.3 Cipher Suites TLS_AES_128_GCM_SHA256 AEAD Cipher Protocol HKDF Hash Mode Algorithm • TLS v1.3 supports 5 cipher suites. – TLS_AES_128_GCM_SHA256 – TLS_AES_256_GCM_SHA384 – TLS_CHACHA20_POLY1305_SHA256 – TLS_AES_128_CCM_SHA256 – TLS_AES_128_CCM_8_SHA256 20

  21. What happens to key exchange and authentication then? • Key Exchange algorithms: – DHE & ECDHE • Only 5 ECDHE curve groups supported • Only 5 DHE finite field groups supported – Pre-Shared Key (PSK) – PSK with (EC)DHE • Digital Signature (Authentication) algorithms: – RSA (PKCS#1 variants) – ECDSA / EdDSA 21

  22. HANDSHAKE CHANGES

  23. TLS Handshake • The handshake has three goals: – Agree a cipher suite. – Agree a master secret. – Establish trust between Client & Server. • Optimise for the most common use cases. – Everyone* wants a secure conversation. – Same cipher suites used across websites repeatedly. – Clients connect to the same sites repeatedly. * ok, almost everyone! 23

  24. TLS 1.2 Handshake

  25. Three Stages of a TLS 1.3 Handshake Key Exchange Server Parameters Authentication 25

  26. Client now makes assumptions about server support. • Client sends: – Cipher Suite options. – List of supported groups/curves. – (EC)DHE Key Share(s). • Server sends: – Cipher suite selection. – (EC)DHE Key Share • Client and Server now share a key. 26

  27. The rest of the handshake is encrypted. • Server sends: – Encrypted Extensions • Server Name • Message Length • …and optionally many more – Certificate Request • Supported signature algorithms. 27

  28. Client now makes assumptions about server support. • Server sends: – Certificate. – Proof of private key possession. – Finished. – Application Data • Client responds: – Certificate. – Proof of private key possession. – Finished. 28

  29. Efficiency Gains 29

  30. GENERATING KEYS USING HKDF 30

  31. HKDF (RFC5869) 
 HMAC-based Key Derivation Function TLS <= v1.2 defines PRF algorithm. • TLS v1.3 replaces this with HKDF. • – HKDF encapsulates how TLS uses HMAC. – Re-used in other protocols. – Separate cryptographic analysis already done. Provides 2 functions: • – Extract - create a pseudo-random key from inputs. – Expand - create more keys from the extract output. HMAC is integral to HKDF. • – HMAC requires the Cryptographic Hash algorithm specified in the cipher suite (SHA256 or SHA384). 31

  32. How the PRF is implemented PRF(secret, label, seed) P_HASH(secret, label + seed) HMAC(SHA-256) label + seed Key Material 32

  33. TLS <= v1.2 Creating Key Material from a master secret Client MAC Key PRF Server MAC Key Client Write Key Pre-master Secret Master Secret Key Material ∞ Server Write Key >= 46 bytes 48 bytes Client Write IV PRF Server Write IV

  34. TLS v1.3 Key Schedule Generation 0 PSK Early Secret Client Early Traffic Early Exporter Binder Key Secret Master Secret Derive Secret Derive-Secret (EC)DHE Handshake Secret HKDF-Expand-Label Client Traffic Server Traffic Derive-Secret Fixed Handshake Secret Handshake Secret Derive Secret HKDF-Extract Master Secret 0 Client Application Server App Traffic Exporter Master Resumption Traffic Secret 0 Secret 0 Secret Master Secret Client Application Server App Traffic Nonce N PSK Ticket N Traffic Secret N Secret N 34

  35. What’s the difference? PRE-SHARED KEYS AND SESSIONS 35

  36. Why do we need sessions? • Full handshakes are expensive. – Key generation. – Server (& Client) Authentication. • Many HTTP clients need it. – Download web page resources (JS, CSS, images). – Dynamic web pages (XHR). – May not be feasible to keep connection open. 36

  37. How do we establish a PSK? • Out-of-band – Added to TLS in 2006 via RFC4279. • During Handshake – Client announces it supports session resumption. – Server provides a PSK identities during handshake. • After handshake, Server sends “New Session Ticket” – Contains PSK identity, nonce and max age. – The PSK is derived from master secret. – Server can send multiple tickets. 37

  38. So, TLS v1.3 supports PSK-based session resumption becomes… 38

  39. What about Zero Round Trip Time (0-RTT)? • PSK means the key is known to both sides. – Does this mean Client can send data immediately? – Can we have a zero round trip time handshake? Yes, we can! • But… – No forward secrecy for the “early data” sent by client. – No guarantees of non-replay. 39

  40. So, TLS v1.3 supports PSK-based session resumption becomes… 40

  41. Extensions… Extensions everywhere! BACKWARDS COMPATIBILITY 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2 Coin and card meters OVERVIEW PRESENTATION / 3 Making garages work better OVERVIEW PRESENTATION / 4 User interface and customer experience OVERVIEW

1.3k views • 24 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF park overview OVERVIEW PRESENTATION / 3 Coin and card meters OVERVIEW PRESENTATION / 4 Improving the customer experience at garages OVERVIEW

567 views • 25 slides
GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

National Taiwan University Department of Computer Science and Information Engineering GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin Phone Lin Ph.D. Ph.D. Email: plin@csie.ntu.edu.tw Email:

686 views • 41 slides
i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

LGE UNICAMP The m i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW The m i c r o g u a r d ETHANOL s OVERVIEW The m i c Ideal conditions r o g Costs-benefits u a r d

1.39k views • 59 slides
Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95# Commissioner --BRYC Firefighter II, EMT-B, HTR &amp; HZMT Tech City of Alexandria Fire and EMS Overview Overview Hyperthermia (Heat Related Injuries)

2.61k views • 31 slides
1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure Industry Business Model Hotels Overview Disclaimer This presentation does not constitute, or form any part of any offer for sale or subscription

808 views • 32 slides
HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview Project Overview Analysis Active Experimentation Question &amp; Answer Team Overview Our Logo Our Tagline Our Mission Statement

1.09k views • 15 slides
Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four Dedicated Outbound Carriers MPF Meijer Private Fleet 111 stores serviced in Michigan, northern Ohio, and Indiana. NTB Nationwide Truck

865 views • 15 slides
HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team Overview Project Overview Analysis Active Experimentation Question &amp; Answer Team Overview Our Logo Our Tagline Our

934 views • 15 slides
An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese Agriculture Agriculture Agriculture characteristics S mall holdings L imited resources and L and Fragmentation. 2 Maltese agriculture in figures

1.04k views • 15 slides
Library Conversations: Talking with Users University of Rochester Overview Overview Used

Library Conversations: Talking with Users University of Rochester Overview Overview Used

Rebecca Bichel December 7, 2007 Library Conversations: Talking with Users University of Rochester Overview Overview Used anthropological &amp; ethnographic Overview Overview methods Guiding research question: What do students

941 views • 44 slides
.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries development and execution model Examine simple C# program 2 .NET Overview .NET is a sweeping marketing term for a family of products

388 views • 23 slides
1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce supply analysis Regional demand for workers i l d d f k Balancing supply and demand Reviewing key cluster trends Key challenges

533 views • 39 slides
EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a

EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a

EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a registered trademark of Future Designs, Inc . 1 Overview What is EZ? EZ RTOS Engine EZ Four Tier Hierarchy Reusable HAL and Device

600 views • 32 slides
Overview of the Reconstruction Overview of the Reconstruction Overview of Some Legal Issues

Overview of the Reconstruction Overview of the Reconstruction Overview of Some Legal Issues

Overview of the Reconstruction Overview of the Reconstruction Overview of Some Legal Issues Related to Puerto Ricos Debt Restructuring by Sergio M. Marxuach Center for a New Economy February 25, 2020 CNE Puerto Ricos Think Tank

347 views • 13 slides
Overview &amp; Development Table of Contents 1 Simon Owen, CEO Business Overview

Overview &amp; Development Table of Contents 1 Simon Owen, CEO Business Overview

2018 Investor Tour INGENIA COMMUNITIES GROUP Overview &amp; Development Table of Contents 1 Simon Owen, CEO Business Overview Guidance Update Development Overview Latitude One Overview 2 Craig Shepherd, Project

247 views • 22 slides
Midterm 3 Review Slides Coordinate Systems on R n Recall: A set of n vectors { v 1 , v 2 , . . . ,

Midterm 3 Review Slides Coordinate Systems on R n Recall: A set of n vectors { v 1 , v 2 , . . . ,

Midterm 3 Review Slides Coordinate Systems on R n Recall: A set of n vectors { v 1 , v 2 , . . . , v n } form a basis for R n if and only if the matrix C with columns v 1 , v 2 , . . . , v n is invertible. If x = c 1 v 1 + c 2 v 2 + + c n

529 views • 16 slides
https://xkcd.com/538/ Cryptocurrencies &amp; Security on the Blockchain Cryptography Review

https://xkcd.com/538/ Cryptocurrencies &amp; Security on the Blockchain Cryptography Review

https://xkcd.com/538/ Cryptocurrencies &amp; Security on the Blockchain Cryptography Review Prof. Tom Austin San Jos State University Goals of Cryptography Confidentiality Protecting secrets Integrity Notice when something

980 views • 42 slides
Symmetric and Password-based encrypDon CS642: Computer

Symmetric and Password-based encrypDon CS642: Computer

Symmetric and Password-based encrypDon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University

330 views • 29 slides
A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and

A Surfeit of SSH Cipher Suites Martin R. Albrecht, Jean Paul Degabriele, Torben B. Hansen and Kenneth G. Paterson ACM CCS - 27/10/2016 Outline of this talk Overview of SSH and related work. SSH deployment statistics. A new attack on

356 views • 25 slides
Quasi-Monte Carlo integration over the Euclidean space and applications Frances Kuo

Quasi-Monte Carlo integration over the Euclidean space and applications Frances Kuo

Quasi-Monte Carlo integration over the Euclidean space and applications Frances Kuo f.kuo@unsw.edu.au University of New South Wales, Sydney, Australia joint work with James Nichols (UNSW) Journal of Complexity 30 (2014) 444468. Frances

758 views • 14 slides
COIN-OR and the COIN-OR Optimization Suite Ted Ralphs COIN fORgery: Developing Open Source Tools

COIN-OR and the COIN-OR Optimization Suite Ted Ralphs COIN fORgery: Developing Open Source Tools

COIN-OR and the COIN-OR Optimization Suite Ted Ralphs COIN fORgery: Developing Open Source Tools for OR Institute for Mathematics and Its Applications, Minneapolis, MN T.K. Ralphs (Lehigh University) COIN-OR October 15, 2018 Intro First,

539 views • 38 slides
Lecture 3: Modes of Operation Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi

Lecture 3: Modes of Operation Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi

T-79.159 Cryptography and Data Security Lecture 3: Modes of Operation Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 04.02.2004 Lecture 3: Modes of Operation, Helger Lipmaa 1

705 views • 34 slides
CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu,

CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu,

CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. FSE 2014 March 3, 2014, London, UK 1 Outline A new

668 views • 33 slides

More recommend