TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World - - PowerPoint PPT Presentation

tls 1 3
SMART_READER_LITE
LIVE PREVIEW

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World - - PowerPoint PPT Presentation

Apr 27, 2023 271 likes •544 views

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World Crypto 2015 1 Goals for TLS 1.3 Clean up: Remove unused or unsafe features Improve privacy: Encrypt more of the handshake Improve latency: Target: 1-RTT handshake for na ve

slide-1
SLIDE 1

TLS 1.3

Eric Rescorla Mozilla ekr@rtfm.com

TLS 1.3 Real-World Crypto 2015 1

slide-2
SLIDE 2

Goals for TLS 1.3

Clean up: Remove unused or unsafe features Improve privacy: Encrypt more of the handshake Improve latency: Target: 1-RTT handshake for na¨ ıve clients; 0-RTT handshake for repeat connections Continuity: Maintain existing important use cases

TLS 1.3 Real-World Crypto 2015 2

slide-3
SLIDE 3

Talk Overview

  • Removed features
  • Current status
  • Remaining work

TLS 1.3 Real-World Crypto 2015 3

slide-4
SLIDE 4

Removed Feature: Static RSA Key Exchange

  • Most SSL servers prefer non-PFS cipher suites [SSL14]

(specifically static RSA)

  • Obviously suboptimal performance characteristics
  • No PFS
  • Gone in TLS 1.3
  • Important: you can still use RSA certificates

– But with ECDHE or DHE – Using ECDHE minimizes performance hit

TLS 1.3 Real-World Crypto 2015 4

slide-5
SLIDE 5

Removed Feature: Compression

  • Recently published vulnerabilities [DR12]
  • Nobody really knows how to use compression safely and generically

– Sidenote: HTTP2 uses very limited context-specific compression [PR14]

  • TLS 1.3 bans compression entirely

– TLS 1.3 clients MUST NOT offer any compression – TLS 1.3 servers MUST fail if compression is offered

TLS 1.3 Real-World Crypto 2015 5

slide-6
SLIDE 6

Removed Feature: Non-AEAD Ciphers

  • Symmetric ciphers have been under a lot of stress (thanks, Kenny

and friends) – RC4 [ABP+13] – AES-CBC [AP13] in MAC-then-Encrypt mode

  • TLS 1.3 bans all non-AEAD ciphers

– Current AEAD ciphers for TLS: AES-GCM, AES-CCM, ARIA-GCM, Camellia-GCM, ChaCha/Poly (coming soon)

TLS 1.3 Real-World Crypto 2015 6

slide-7
SLIDE 7

Removed Feature: Custom (EC)DHE groups

  • Previous versions of TLS allowed the server to specify their own

DHE group – The only way things worked for finite field DHE – (Almost unused) option for ECDHE

  • This isn’t optimal

– Servers didn’t know what size FF group client would accept – Hard for client to validate group [BLF+14]

  • TLS 1.3 only uses predefined groups

– Existing RFC 4492 [BWBG+06] EC groups (+ whatever CFRG comes up with)∗ – New FF groups defined in [Gil14]

∗Bonus: removed point format negotiation too

TLS 1.3 Real-World Crypto 2015 7

slide-8
SLIDE 8

Removed Feature: Renegotiation

  • Previous versions of TLS allowed either side to initiate a new

handshake – This was always kind of confusing to applications – And has been a source of vulnerabilities [RRDO10, BLF+14]

  • TLS 1.3 simply prohibits renegotiation

TLS 1.3 Real-World Crypto 2015 8

slide-9
SLIDE 9

Why did we want renegotiation anyway?

  • Connection re-keying

– Cryptographic exhaustion – PFS refresh

  • Adding client authentication (or doing private client auth)
  • We need to re-add at least some of this.
  • For the rest, drop connection and start over

TLS 1.3 Real-World Crypto 2015 9

slide-10
SLIDE 10

Features we need to keep

  • Client authentication
  • Pre-shared keys
  • Session resumption (with tickets)
  • Extensions (ALPN, DTLS-SRTP, etc.)

TLS 1.3 Real-World Crypto 2015 10

slide-11
SLIDE 11

Reminder: TLS 1.2 Handshake (PFS, no client auth)

Client Server ClientHello

  • ServerHello, Certificate

ServerKeyExchange, ServerHelloDone

  • ClientKeyExchange, [ChangeCipherSpec]

Finished

  • [ChangeCipherSpec]

Finished

  • Application Data
  • TLS 1.3

Real-World Crypto 2015 11

slide-12
SLIDE 12

Basic Idea: Optimistic keying

  • Client provides (EC)DHE key shares from expected groups
  • Server responds with authenticated ECDHE share
  • If client uses an unsupported group, server corrects
  • Timing:

– Server can send data in first flight – Client can send data in second flight

TLS 1.3 Real-World Crypto 2015 12

slide-13
SLIDE 13

Basic 1-RTT TLS 1.3 Handshake

Client Server ClientHello, ClientKeyShare

  • ServerHello, ServerKeyShare

EncryptedExtensions, Certificate, CertificateVerify, FinishedK1

  • FinishedK1
  • Application DataK2
  • TLS 1.3

Real-World Crypto 2015 13

slide-14
SLIDE 14

What if client uses an unsupported group?

Client Server ClientHello, ClientKeyShare

  • HelloRetryRequest
  • ClientHello, ClientKeyShare
  • ServerHello, ServerKeyShare

EncryptedExtensions, Certificate, CertificateVerify, FinishedK1

  • FinishedK1
  • Application DataK2
  • TLS 1.3

Real-World Crypto 2015 14

slide-15
SLIDE 15

Backward Compatibility

Client Server ClientHello [TLS 1.3], ClientKeyShare

  • ServerHello [TLS 1.2]
  • Alert
  • This means any new messages in first flight need to go in client

extensions – At least for initial connections – Maybe always because of middleboxes

  • Also questions about version number negotiation

TLS 1.3 Real-World Crypto 2015 15

slide-16
SLIDE 16
  • Measurements needed here

TLS 1.3 Real-World Crypto 2015 16

slide-17
SLIDE 17

Client Authentication

Client Server ClientHello, ClientKeyShare

  • ServerHello, ServerKeyShare

EncryptedExtensions, Certificate, CertificateRequest, CertificateVerify, FinishedK1

  • Certificate, CertificateVerify, FinishedK1
  • Application DataK2
  • TLS 1.3

Real-World Crypto 2015 17

slide-18
SLIDE 18

Session Resumption

  • Resumption still works fine

– ... But we just broke session tickets [SZET08] – And why do we have both anyway?

  • Tickets are more conceptually general than resumption

– So let’s just do tickets

TLS 1.3 Real-World Crypto 2015 18

slide-19
SLIDE 19

Client Server ClientHello, ClientKeyShare

  • ServerHello, ServerKeyShare

EncryptedExtensions, Certificate, CertificateRequest, CertificateVerify, FinishedK1

  • Certificate, CertificateVerify, FinishedK1
  • Tickets need to go here
  • TLS 1.3

Real-World Crypto 2015 19

slide-20
SLIDE 20

What about mid-connection client authentication?

  • This was allowed in TLS 1.2 via renegotiation

– It’s gone now

  • Should be easy to put it back in technically
  • But what are the semantics?

– Retroactively bless previous messages? – Impact on session resumption?

  • Largely application, not protocol issues
  • Interaction with HTTP [BPT14, Tho14]

TLS 1.3 Real-World Crypto 2015 20

slide-21
SLIDE 21

0-RTT

  • In general we understand how to do this [Lan10]

– Client memorizes server’s DHE parameters – And sends first application data – Server needs to keep track of every client nonce ∗ Typically scoped by time window and/or a context token – Need to fall back if server loses state

  • Protocol engineering details need to be worked out

– How does server indicate readiness to do 0-RTT? – How does client indicate use of 0-RTT – How is first-flight application data carried?

  • This is next on the WG agenda

TLS 1.3 Real-World Crypto 2015 21

slide-22
SLIDE 22

Implementations Planned/In-Progress

  • NSS
  • OpenSSL
  • miTLS
  • Pike programming language team
  • Your name here
  • Planning to start interop testing on -04 (1-RTT) this month

TLS 1.3 Real-World Crypto 2015 22

slide-23
SLIDE 23

Advertisement: Interim

  • Expect a call for dates on list soon

TLS 1.3 Real-World Crypto 2015 23

slide-24
SLIDE 24

Questions?

TLS 1.3 Real-World Crypto 2015 24

slide-25
SLIDE 25

References

[ABP+13] Nadhem J AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt. On the Security

  • f RC4 in TLS. In USENIX Security, pages 305–320, 2013.

[AP13] N AlFardan and Kenneth G Paterson. Lucky 13: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy, 2013. [BLF+14] Karthikeyan Bhargavan, Antoine Delignat Lavaud, C´ edric Fournet, Alfredo Pironti, and Pierre Yves Strub. Triple hand- shakes and cookie cutters: Breaking and fixing authentication

  • ver tls. In Security and Privacy (SP), 2014 IEEE Symposium
  • n, pages 98–113. IEEE, 2014.

[BPT14] Mike Belshe, Roberto Peon, and Martin Thomson. Hypertext Transfer Protocol version 2. Internet-Draft draft-ietf-httpbis-

TLS 1.3 Real-World Crypto 2015 24

slide-26
SLIDE 26

http2-14, Internet Engineering Task Force, July 2014. Work in progress. [BWBG+06] S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and

  • B. Moeller. Elliptic Curve Cryptography (ECC) Cipher Suites

for Transport Layer Security (TLS). RFC 4492 (Informational), May 2006. Updated by RFCs 5246, 7027. [DR12] Thai Duong and Juliano Rizzo. The crime attack. In Presen- tation at ekoparty Security Conference, 2012. [Gil14] Daniel Kahn Gillmor. Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS. Internet-Draft draft-ietf-tls- negotiated-ff-dhe, Internet Engineering Task Force, August

  • 2014. Work in progress.

[Lan10] Adam Langley. Transport Layer Security (TLS) Snap Start. Internet-Draft draft-agl-tls-snapstart-00, Internet Engineering Task Force, June 2010. Work in progress.

TLS 1.3 Real-World Crypto 2015 24

slide-27
SLIDE 27

[PR14] Roberto Peon and Herve Ruellan. HPACK - Header Com- pression for HTTP/2. Internet-Draft draft-ietf-httpbis-header- compression-09, Internet Engineering Task Force, July 2014. Work in progress. [RRDO10]

  • E. Rescorla, M. Ray, S. Dispensa, and N. Oskov. Transport

Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard), February 2010. [SSL14] SSL Pulse. https://www.ssllabs.com/, Dec 2014. [SZET08]

  • J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. Transport

Layer Security (TLS) Session Resumption without Server-Side

  • State. RFC 5077 (Proposed Standard), January 2008.

[Tho14] Martin Thomson. Client Authentication over New TLS Con-

  • nection. Internet-Draft draft-thomson-httpbis-cant-01, Inter-

net Engineering Task Force, July 2014. Work in progress.

TLS 1.3 Real-World Crypto 2015 24