tls 1 3
play

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 1 Overview - PowerPoint PPT Presentation

Oct 24, 2023 •382 likes •1.03k views

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 1 Overview Background/Review of TLS Some problems with TLS 1.2 Objectives for TLS 1.3 What does TLS 1.3 look like? Open issues/schedule/etc. TLS 1.3 2 What is Transport

  1. TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 1

  2. Overview • Background/Review of TLS • Some problems with TLS 1.2 • Objectives for TLS 1.3 • What does TLS 1.3 look like? • Open issues/schedule/etc. TLS 1.3 2

  3. What is Transport Layer Security? • Probably the Internet’s most important security protocol • Designed over 20 years ago by Netscape for Web transactions – Back then, called Secure Sockets Layer • But used for just about everything you can think of – HTTP – SSL-VPNs – E-mail – Voice/video – IoT • Maintained by the Internet Engineering Task Force – We’re now at version 1.2 TLS 1.3 3

  4. A Secure Channel • Client connects to a known server (e.g., it has the domain name) • Server is (almost) always authenticated by TLS • Client may or may not be authenticated by TLS – Often authenticated by the application, e.g., with a password • After setup, data is encrypted and authenticated – Though what “authenticated” means to the server is fuzzy TLS 1.3 4

  5. TLS Structure • Handshake protocol – Establish shared keys (typically using public key cryptography) – Negotiate algorithms, modes, parameters – Authenticate one or both sides • Record protocol – Carry individual messages – Protected under symmetric keys • This is a common design (SSH, IPsec, etc.) TLS 1.3 5

  6. � � � � � � TLS 1.2: RSA Handshake Skeleton Client Server ClientHello [Random] ServerHello [Random], Certificate E( K s , Master Secret), Finished=MAC(MS, Handshake) Finished=MAC(MS, Handshake) Application data TLS 1.3 6

  7. More on Negotiation • ClientHello contains more than just random values struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites<2..2^16-2>; CompressionMethod compression_methods<1..2^8-1>; select (extensions_present) { case false: struct {}; case true: Extension extensions<0..2^16-1>; }; } ClientHello; TLS 1.3 7

  8. Client Offers, Server Chooses struct { ProtocolVersion server_version; Random random; SessionID session_id; CipherSuite cipher_suite; CompressionMethod compression_method; select (extensions_present) { case false: struct {}; case true: Extension extensions<0..2^16-1>; }; } ServerHello; TLS 1.3 8

  9. What’s in a Cipher Suite? • Key Exchange (RSA, DHE, ECDHE, PSK, ...) • Authentication (RSA, DSS, ECDSA, ...) • Encryption (AES, Camellia, ...) • MAC (MD5, SHA1, SHA256, ...) TLS 1.3 9

  10. � � � � � � � � � � TLS 1.2: Renegotiation Client Server ClientHello [Random] ServerHello [Random], Certificate E( K s , Master Secret), Finished Finished ClientHello [Random] ServerHello [Random], Certificate E( K s , Master Secret), Finished Finished Application data TLS 1.3 10

  11. � � � � � � � � � � � � � � � � Renegotiation Attack [RRDO10] Attacker Client Server ClientHello [Random] ServerHello [Random], Certificate E( K s , Master Secret), Finished Finished POST /... ClientHello [Random] ClientHello [Random] ServerHello [Random], Certificate ServerHello [Random], Certificate E( K s , Master Secret), Finished E( K s , Master Secret), Finished Finished Finished POST /... Cookie=... TLS 1.3 11

  12. Why is this bad? • Attacker gets to splice their data to the client’s • Example – Attacker-controlled request + – Client’s credentials • This looks like a renegotiation to server TLS 1.3 12

  13. Renegotiation Info Extension [RFC5746] • New extension in { Client,Server } Hello – Client’s version contains its last Finished on this connection – Server’s version contains last pair of Finished from this connection • If you’re not renegotiating with the same person you get a mismatch TLS 1.3 13

  14. Uses for renegotiation (or, why can’t we just get rid of it...) • Conceal the client’s certificate • Post-handshake client authentication • Refresh the traffic keying material TLS 1.3 14

  15. � � � � � � � � � � � TLS 1.2: Renegotiation for Client Authentication ClientHello [Random] ServerHello [Random], Certificate, Sign( K s , g s , ...) g c , Finished Finished GET /secure... HelloRequest ClientHello [Random] ServerHello [Random], Certificate, CertificateRequest, Sign( K s , g s , ...) g c , Certificate, Sign( K c , ...), Finished Finished Response TLS 1.3 15

  16. Session Resumption • “Public key” operations are comparatively expensive – They used to be really expensive • Solution: amortize this operation across multiple connections TLS 1.3 16

  17. � � � � � � Session Establishment Client Server ClientHello [Random, SessionID] ServerHello [Random, SessionID], Certificate E( K s , Master Secret), Finished Finished Application data TLS 1.3 17

  18. � � � � � Session Resumption Client Server ClientHello [Random, SessionID] ServerHello [Random, SessionID], Finished Finished Application data • No new public key operations • Reuse MS from last handshake TLS 1.3 18

  19. � � � � � � � � Triple Handshake (I) Attacker Client Server ClientHello [Random] ClientHello [Random] ServerHello [Random], Certificate ServerHello [Random], Certificate E( K a , Master Secret), Finished E( K s , Master Secret), Finished Finished Finished • These connections have the same Master Secret • “Unknown key share” attack TLS 1.3 19

  20. � � � � � � � � � � Triple Handshake (II) Client Attacker Server ClientHello [Random, SessionID] ServerHello [Random, SessionID], Finished Finished GET /secure-resource HelloRequest ClientHello [Random] ServerHello [Random], CertificateRequest, Certificate E( K s , Master Secret), Certificate, Sign( K c , ...), Finished MAC(MS, Handshake ) Response TLS 1.3 20

  21. What’s the impact? • Resurrection of renegotiation attack • Attacker controls the request • Client authenticates it • Thinks he’s authenticating to the attacker • ... but he’s authenticating to the server TLS 1.3 21

  22. Fixing the Triple Handshake (Session Hash) • The problem is the unknown key share on the first handshake • Fix is to hash the server certificate into the master secret • Resumed handshakes inherit this context TLS 1.3 22

  23. TLS 1.3 Objectives • Clean up: Remove unused or unsafe features • Security: Improve security by using modern security analysis techniques • Privacy: Encrypt more of the protocol • Performance: Our target is a 1-RTT handshake for naive clients; 0-RTT handshake for repeat connections • Continuity: Maintain existing important use cases TLS 1.3 23

  24. Removed Features • Static RSA • Custom (EC)DHE groups • Compression • Renegotiation ∗ • Non-AEAD ciphers • Simplified resumption ∗ Special accommodation for inline client authentication TLS 1.3 24

  25. Removed Feature: Static RSA Key Exchange • Most SSL servers prefer non-PFS cipher suites [SSL14] (specifically static RSA) • Obviously suboptimal performance characteristics • No PFS • Gone in TLS 1.3 • Important: you can still use RSA certificates – But with ECDHE or DHE – Using ECDHE minimizes performance hit TLS 1.3 25

  26. Removed Feature: Compression • Recently published vulnerabilities [DR12] • Nobody really knows how to use compression safely and generically – Sidenote: HTTP2 uses very limited context-specific compression [PR14] • TLS 1.3 bans compression entirely – TLS 1.3 clients MUST NOT offer any compression – TLS 1.3 servers MUST fail if compression is offered TLS 1.3 26

  27. Removed Feature: Non-AEAD Ciphers • Symmetric ciphers have been under a lot of stress (thanks, Kenny and friends) – RC4 [ABP + 13] – AES-CBC [AP13] in MAC-then-Encrypt mode • TLS 1.3 bans all non-AEAD ciphers – Current AEAD ciphers for TLS: AES-GCM, AES-CCM, ARIA-GCM, Camellia-GCM, ChaCha/Poly (coming soon) TLS 1.3 27

  28. Removed Feature: Custom (EC)DHE groups • Previous versions of TLS allowed the server to specify their own DHE group – The only way things worked for finite field DHE – (Almost unused) option for ECDHE • This isn’t optimal – Servers didn’t know what size FF group client would accept – Hard for client to validate group [BLF + 14] • TLS 1.3 only uses predefined groups – Existing RFC 4492 [BWBG + 06] EC groups (+ whatever CFRG comes up with) ∗ – New FF groups defined in [Gil14] ∗ Bonus: removed point format negotiation too TLS 1.3 28

  29. Optimizing Through Optimism • TLS 1.2 assumed that the client knew nothing – First round trip mostly consumed by learning server capabilities • TLS 1.3 narrows the range of options – Only (EC)DHE – Limited number of groups • Client can make a good guess at server’s capabilities – Pick its favorite groups and send a DH share TLS 1.3 29

  30. � � � � � � TLS 1.3 1-RTT Handshake Skeleton Client Server ClientHello [Random, g c ] ServerHello [Random, g s ] Certificate, Sign( K s , Handshake), Finished Application data Finished Application data • Server can write on its first flight • Client can write on second flight • Keys derived from handshake transcript through server MAC • Server certificate is encrypted – Only secure against passive attackers TLS 1.3 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Skeletons for transitive fibered maps Katrin Gelfert (UFRJ, Brazil) joint work with L. J. Daz

Skeletons for transitive fibered maps Katrin Gelfert (UFRJ, Brazil) joint work with L. J. Daz

Skeletons for transitive fibered maps Katrin Gelfert (UFRJ, Brazil) joint work with L. J. Daz and M. Rams March 29, 2016 Skeletons for transitive fibered maps March 29, 2016 1 / 10 Axioms: Some notation Consider a one step skew-product F :

498 views • 21 slides
Treetopes And Their Graphs David Eppstein ACMSIAM Symposium on Discrete Algorithms Arlington,

Treetopes And Their Graphs David Eppstein ACMSIAM Symposium on Discrete Algorithms Arlington,

Treetopes And Their Graphs David Eppstein ACMSIAM Symposium on Discrete Algorithms Arlington, Virginia, January 2016 Two possibly NP-intermediate problems, I Steinitzs theorem: Graphs of 3d convex polyhedra = 3-vertex-connected planar

427 views • 21 slides
Ripser++: GPU-Accelerated Computation of Vietoris-Rips Persistence Barcodes Simon Zhang, Mengbai

Ripser++: GPU-Accelerated Computation of Vietoris-Rips Persistence Barcodes Simon Zhang, Mengbai

Ripser++: GPU-Accelerated Computation of Vietoris-Rips Persistence Barcodes Simon Zhang, Mengbai Xiao and Hao Wang The Ohio State University, USA 1 What is a Vietoris-Rips Filtration? Let X be a set of points with an underlying metric

334 views • 29 slides
Using Turktools Hadas Kotek (based on materials created in collaboration with Michael Y.

Using Turktools Hadas Kotek (based on materials created in collaboration with Michael Y.

Using Turktools Hadas Kotek (based on materials created in collaboration with Michael Y. Erlewine) Experimental semantics and pragmatics NYU, October 2017 In these slides 1 Why experimentation? Basic considerations. 2 Turktools basics:

772 views • 38 slides
Triangles, Squares and Biautomaticity Jon McCammond (U.C. Santa Barbara) Rena Levitt (U.C. Santa

Triangles, Squares and Biautomaticity Jon McCammond (U.C. Santa Barbara) Rena Levitt (U.C. Santa

Triangles, Squares and Biautomaticity Jon McCammond (U.C. Santa Barbara) Rena Levitt (U.C. Santa Barbara) 1 The Basic Problems Consider a tiling of the plane by regular triangles and squares. 1) How many such tilings are there? 2) What does a

509 views • 27 slides
The Visibility Skeleton Frdo Durand, George Drettakis, Claude Puech Visibility Skeleton Graph

The Visibility Skeleton Frdo Durand, George Drettakis, Claude Puech Visibility Skeleton Graph

The Visibility Skeleton Frdo Durand, George Drettakis, Claude Puech Visibility Skeleton Graph of visual events (visibility changes): Nodes Extremal stabbing lines (0D). Arcs Critical line sets or line swaths (1D). Generator

379 views • 10 slides
Towards Software Component Assembly Language Enhanced with Workflows and Skeletons Marco

Towards Software Component Assembly Language Enhanced with Workflows and Skeletons Marco

Towards Software Component Assembly Language Enhanced with Workflows and Skeletons Marco ALDINUCCI and Marco DANELUTTO UNIPI - University of Pisa (Italy) Hinde Lilia BOUZIANE and Christian PEREZ Projet-team GRAAL - INRIA Rhne-Alpes - ENS

602 views • 22 slides
Hardware Design with VHDL VHDL Basics ECE 443 Skeleton of a Basic VHDL Program This slide set

Hardware Design with VHDL VHDL Basics ECE 443 Skeleton of a Basic VHDL Program This slide set

Hardware Design with VHDL VHDL Basics ECE 443 Skeleton of a Basic VHDL Program This slide set covers the components to a basic VHDL program, including lexical ele- ments, program format, data types and operators A VHDL program consists of a

502 views • 34 slides
Visualizing API Usage Examples at Scale Elena L. Glassman 1 *, Tianyi Zhang 2 *, Bjrn Hartmann 1

Visualizing API Usage Examples at Scale Elena L. Glassman 1 *, Tianyi Zhang 2 *, Bjrn Hartmann 1

Visualizing API Usage Examples at Scale Elena L. Glassman 1 *, Tianyi Zhang 2 *, Bjrn Hartmann 1 , Miryung Kim 2 1 University of California, Berkeley 2 University of California, Los Angeles The two lead authors contributed equally to the work as

538 views • 27 slides
In-Home Daily-Life Captioning Using Radio Signals Lijie Fan* Tianhong Li* Yuan Yuan

In-Home Daily-Life Captioning Using Radio Signals Lijie Fan* Tianhong Li* Yuan Yuan

In-Home Daily-Life Captioning Using Radio Signals Lijie Fan* Tianhong Li* Yuan Yuan Dina Katabi MIT CSAIL * denotes equal contribution How can I make sure grandma is fine? How can I make sure grandma is fine? Daily Life Captioning

496 views • 25 slides
Distributed Systems Remote Procedure Calls Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Remote Procedure Calls Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Remote Procedure Calls Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Page 1 Page 1 Problems with sockets

432 views • 21 slides
Automatic Skinning via Constrained Energy Optimization Alec Jacobson Columbia University

Automatic Skinning via Constrained Energy Optimization Alec Jacobson Columbia University

Skinning: Real-time Shape Deformation Automatic Skinning via Constrained Energy Optimization Alec Jacobson Columbia University 1 Traditional skinning pipeline is labor intensive v v 0 = X w j ( v ) T j 1 j 2 H 2

1.39k views • 103 slides
Eden: Parallel Processes, Patterns and Skeletons Jost Berthold berthold@diku.dk Department of

Eden: Parallel Processes, Patterns and Skeletons Jost Berthold berthold@diku.dk Department of

u n i v e r s i t y o f c o p e n h a g e n d e p a r t m e n t o f c o m p u t e r s c i e n c e Faculty of Science Eden: Parallel Processes, Patterns and Skeletons Jost Berthold berthold@diku.dk Department of Computer Science Heriot-Watt

769 views • 63 slides
1 Data parallelism Data-parallel Reduction Given: Given: One or several data

1 Data parallelism Data-parallel Reduction Given: Given: One or several data

DF21500 Multicore Computing, 2009 Example: Prof. Dr. Christoph Kessler, IDA, Linkping university 1D smoothening in C ... float filter ( float a, b, c) { return wa*a + wb*b + wc*c; } P void main ( int argc , char * argv [] ) { float *

349 views • 4 slides
An Overview of Algebraic Topology Richard Wong UT Austin Math Club Talk, March 2017 Slides can

An Overview of Algebraic Topology Richard Wong UT Austin Math Club Talk, March 2017 Slides can

Topological Spaces Algebraic Topology Summary An Overview of Algebraic Topology Richard Wong UT Austin Math Club Talk, March 2017 Slides can be found at http://www.ma.utexas.edu/users/richard.wong/ Richard Wong University of Texas at Austin

623 views • 31 slides
Vectorization in Graphics Recognition: To Thin or not to Thin Karl Tombre and Salvatore Tabbone

Vectorization in Graphics Recognition: To Thin or not to Thin Karl Tombre and Salvatore Tabbone

' $ Vectorization in Graphics Recognition: To Thin or not to Thin Karl Tombre and Salvatore Tabbone September 2000 &amp; % ' $ To Thin or not to Thin Graphics recognition Graphics recognition Analysis of graphics-intensive documents

497 views • 17 slides
Disentangling and Unifying Graph Convolutions for Skeleton-Based Action Recognition Ziyu Liu 1,3 ,

Disentangling and Unifying Graph Convolutions for Skeleton-Based Action Recognition Ziyu Liu 1,3 ,

Disentangling and Unifying Graph Convolutions for Skeleton-Based Action Recognition Ziyu Liu 1,3 , Hongwen Zhang 2 , Zhenghao Chen 1 , Zhiyong Wang 1 , Wanli Ouyang 1,3 1 The University of Sydney, 2 University of Chinese Academy of Sciences &amp;

596 views • 41 slides
r rr r rs

r rr r rs

r rr r rs r t q P s r

1.51k views • 124 slides
Three questions on graphs of polytopes Guillermo Pineda-Villavicencio Federation University

Three questions on graphs of polytopes Guillermo Pineda-Villavicencio Federation University

Three questions on graphs of polytopes Guillermo Pineda-Villavicencio Federation University Australia G. Pineda-Villavicencio (FedUni) Mar 18 1 / 30 Outline A polytope as a combinatorial object 1 First question: Reconstruction of polytopes

878 views • 52 slides
We put stunning user experiences on the road. 2 Agenda Prototyping

We put stunning user experiences on the road. 2 Agenda Prototyping

Rapid UI Prototyping Using Qt Quick By Jrgen Bocklage-Ryannel We put stunning user experiences on the road. 2 Agenda Prototyping Prototyping with QML Prototyping with QML Demo Prototyping Prototyping

707 views • 22 slides
ROVIS Rosetta visualisation and (much) more Bjrn Grieger Trajectories and Operations

ROVIS Rosetta visualisation and (much) more Bjrn Grieger Trajectories and Operations

Skeleton Plan Software Toolkit Demonstration ROVIS Rosetta visualisation and (much) more Bjrn Grieger Trajectories and Operations Simulations (T OS) Rosetta SGS Development ESA/ESAC, Madrid, Spain Rosetta Visualisation and Modelling

396 views • 14 slides
CS425 /ECE428 Distributed Systems Spring 2020 Material derived from slides by I. Gupta, M.

CS425 /ECE428 Distributed Systems Spring 2020 Material derived from slides by I. Gupta, M.

CS425 /ECE428 Distributed Systems Spring 2020 Material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra, K. Nahrstedt, N. Vaidya MP2 extension until April 17 MP3 released Monday, will be reduced difficulty HW5 out

760 views • 34 slides
rs t rr r

rs t rr r

rs t rr r Prr Prtt r Prrss sss Ptr r

682 views • 27 slides
Probabilistic Graphical Models Lecture 4 Learning Bayesian Networks CS/CNS/EE 155 Andreas

Probabilistic Graphical Models Lecture 4 Learning Bayesian Networks CS/CNS/EE 155 Andreas

Probabilistic Graphical Models Lecture 4 Learning Bayesian Networks CS/CNS/EE 155 Andreas Krause Announcements Another TA: Hongchao Zhou Please fill out the questionnaire about recitations Homework 1 out. Due in class Wed Oct 21

915 views • 43 slides

More recommend