tls 1 3
play

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World - PowerPoint PPT Presentation

Apr 27, 2023 •271 likes •543 views

TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World Crypto 2015 1 Goals for TLS 1.3 Clean up: Remove unused or unsafe features Improve privacy: Encrypt more of the handshake Improve latency: Target: 1-RTT handshake for na ve

  1. TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 Real-World Crypto 2015 1

  2. Goals for TLS 1.3 Clean up: Remove unused or unsafe features Improve privacy: Encrypt more of the handshake Improve latency: Target: 1-RTT handshake for na¨ ıve clients; 0-RTT handshake for repeat connections Continuity: Maintain existing important use cases TLS 1.3 Real-World Crypto 2015 2

  3. Talk Overview • Removed features • Current status • Remaining work TLS 1.3 Real-World Crypto 2015 3

  4. Removed Feature: Static RSA Key Exchange • Most SSL servers prefer non-PFS cipher suites [SSL14] (specifically static RSA) • Obviously suboptimal performance characteristics • No PFS • Gone in TLS 1.3 • Important: you can still use RSA certificates – But with ECDHE or DHE – Using ECDHE minimizes performance hit TLS 1.3 Real-World Crypto 2015 4

  5. Removed Feature: Compression • Recently published vulnerabilities [DR12] • Nobody really knows how to use compression safely and generically – Sidenote: HTTP2 uses very limited context-specific compression [PR14] • TLS 1.3 bans compression entirely – TLS 1.3 clients MUST NOT offer any compression – TLS 1.3 servers MUST fail if compression is offered TLS 1.3 Real-World Crypto 2015 5

  6. Removed Feature: Non-AEAD Ciphers • Symmetric ciphers have been under a lot of stress (thanks, Kenny and friends) – RC4 [ABP + 13] – AES-CBC [AP13] in MAC-then-Encrypt mode • TLS 1.3 bans all non-AEAD ciphers – Current AEAD ciphers for TLS: AES-GCM, AES-CCM, ARIA-GCM, Camellia-GCM, ChaCha/Poly (coming soon) TLS 1.3 Real-World Crypto 2015 6

  7. Removed Feature: Custom (EC)DHE groups • Previous versions of TLS allowed the server to specify their own DHE group – The only way things worked for finite field DHE – (Almost unused) option for ECDHE • This isn’t optimal – Servers didn’t know what size FF group client would accept – Hard for client to validate group [BLF + 14] • TLS 1.3 only uses predefined groups – Existing RFC 4492 [BWBG + 06] EC groups (+ whatever CFRG comes up with) ∗ – New FF groups defined in [Gil14] ∗ Bonus: removed point format negotiation too TLS 1.3 Real-World Crypto 2015 7

  8. Removed Feature: Renegotiation • Previous versions of TLS allowed either side to initiate a new handshake – This was always kind of confusing to applications – And has been a source of vulnerabilities [RRDO10, BLF + 14] • TLS 1.3 simply prohibits renegotiation TLS 1.3 Real-World Crypto 2015 8

  9. Why did we want renegotiation anyway? • Connection re-keying – Cryptographic exhaustion – PFS refresh • Adding client authentication (or doing private client auth) • We need to re-add at least some of this. • For the rest, drop connection and start over TLS 1.3 Real-World Crypto 2015 9

  10. Features we need to keep • Client authentication • Pre-shared keys • Session resumption (with tickets) • Extensions (ALPN, DTLS-SRTP, etc.) TLS 1.3 Real-World Crypto 2015 10

  11. � � � � � � Reminder: TLS 1.2 Handshake (PFS, no client auth) Client Server ClientHello ServerHello, Certificate ServerKeyExchange, ServerHelloDone ClientKeyExchange, [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished Application Data TLS 1.3 Real-World Crypto 2015 11

  12. Basic Idea: Optimistic keying • Client provides (EC)DHE key shares from expected groups • Server responds with authenticated ECDHE share • If client uses an unsupported group, server corrects • Timing: – Server can send data in first flight – Client can send data in second flight TLS 1.3 Real-World Crypto 2015 12

  13. � � � � � Basic 1-RTT TLS 1.3 Handshake Client Server ClientHello, ClientKeyShare ServerHello, ServerKeyShare EncryptedExtensions, Certificate, CertificateVerify, Finished K 1 Finished K 1 Application Data K 2 TLS 1.3 Real-World Crypto 2015 13

  14. � � � � � � � What if client uses an unsupported group? Client Server ClientHello, ClientKeyShare HelloRetryRequest ClientHello, ClientKeyShare ServerHello, ServerKeyShare EncryptedExtensions, Certificate, CertificateVerify, Finished K 1 Finished K 1 Application Data K 2 TLS 1.3 Real-World Crypto 2015 14

  15. � � � Backward Compatibility Client Server ClientHello [TLS 1.3], ClientKeyShare ServerHello [TLS 1.2] Alert • This means any new messages in first flight need to go in client extensions – At least for initial connections – Maybe always because of middleboxes • Also questions about version number negotiation TLS 1.3 Real-World Crypto 2015 15

  16. • Measurements needed here TLS 1.3 Real-World Crypto 2015 16

  17. � � � � � Client Authentication Client Server ClientHello, ClientKeyShare ServerHello, ServerKeyShare EncryptedExtensions, Certificate, CertificateRequest, CertificateVerify, Finished K 1 Certificate, CertificateVerify, Finished K 1 Application Data K 2 TLS 1.3 Real-World Crypto 2015 17

  18. Session Resumption • Resumption still works fine – ... But we just broke session tickets [SZET08] – And why do we have both anyway? • Tickets are more conceptually general than resumption – So let’s just do tickets TLS 1.3 Real-World Crypto 2015 18

  19. � � � � Client Server ClientHello, ClientKeyShare ServerHello, ServerKeyShare EncryptedExtensions, Certificate, CertificateRequest, CertificateVerify, Finished K 1 Certificate, CertificateVerify, Finished K 1 Tickets need to go here TLS 1.3 Real-World Crypto 2015 19

  20. What about mid-connection client authentication? • This was allowed in TLS 1.2 via renegotiation – It’s gone now • Should be easy to put it back in technically • But what are the semantics? – Retroactively bless previous messages? – Impact on session resumption? • Largely application, not protocol issues • Interaction with HTTP [BPT14, Tho14] TLS 1.3 Real-World Crypto 2015 20

  21. 0-RTT • In general we understand how to do this [Lan10] – Client memorizes server’s DHE parameters – And sends first application data – Server needs to keep track of every client nonce ∗ Typically scoped by time window and/or a context token – Need to fall back if server loses state • Protocol engineering details need to be worked out – How does server indicate readiness to do 0-RTT? – How does client indicate use of 0-RTT – How is first-flight application data carried? • This is next on the WG agenda TLS 1.3 Real-World Crypto 2015 21

  22. Implementations Planned/In-Progress • NSS • OpenSSL • miTLS • Pike programming language team • Your name here • • Planning to start interop testing on -04 (1-RTT) this month TLS 1.3 Real-World Crypto 2015 22

  23. Advertisement: Interim • Expect a call for dates on list soon TLS 1.3 Real-World Crypto 2015 23

  24. Questions? TLS 1.3 Real-World Crypto 2015 24

  25. References [ABP + 13] Nadhem J AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt. On the Security of RC4 in TLS. In USENIX Security , pages 305–320, 2013. [AP13] N AlFardan and Kenneth G Paterson. Lucky 13: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy , 2013. [BLF + 14] Karthikeyan Bhargavan, Antoine Delignat Lavaud, C´ edric Fournet, Alfredo Pironti, and Pierre Yves Strub. Triple hand- shakes and cookie cutters: Breaking and fixing authentication over tls. In Security and Privacy (SP), 2014 IEEE Symposium on , pages 98–113. IEEE, 2014. [BPT14] Mike Belshe, Roberto Peon, and Martin Thomson. Hypertext Transfer Protocol version 2. Internet-Draft draft-ietf-httpbis- TLS 1.3 Real-World Crypto 2015 24

  26. http2-14, Internet Engineering Task Force, July 2014. Work in progress. [BWBG + 06] S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), May 2006. Updated by RFCs 5246, 7027. [DR12] Thai Duong and Juliano Rizzo. The crime attack. In Presen- tation at ekoparty Security Conference , 2012. [Gil14] Daniel Kahn Gillmor. Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS. Internet-Draft draft-ietf-tls- negotiated-ff-dhe, Internet Engineering Task Force, August 2014. Work in progress. [Lan10] Adam Langley. Transport Layer Security (TLS) Snap Start. Internet-Draft draft-agl-tls-snapstart-00, Internet Engineering Task Force, June 2010. Work in progress. TLS 1.3 Real-World Crypto 2015 24

  27. [PR14] Roberto Peon and Herve Ruellan. HPACK - Header Com- pression for HTTP/2. Internet-Draft draft-ietf-httpbis-header- compression-09, Internet Engineering Task Force, July 2014. Work in progress. [RRDO10] E. Rescorla, M. Ray, S. Dispensa, and N. Oskov. Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard), February 2010. [SSL14] SSL Pulse. https://www.ssllabs.com/ , Dec 2014. [SZET08] J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. Transport Layer Security (TLS) Session Resumption without Server-Side State. RFC 5077 (Proposed Standard), January 2008. [Tho14] Martin Thomson. Client Authentication over New TLS Con- nection. Internet-Draft draft-thomson-httpbis-cant-01, Inter- net Engineering Task Force, July 2014. Work in progress. TLS 1.3 Real-World Crypto 2015 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SSL Research with Bro Johanna Amann International Computer Science Institute johanna@icir.org

SSL Research with Bro Johanna Amann International Computer Science Institute johanna@icir.org

SSL Research with Bro Johanna Amann International Computer Science Institute johanna@icir.org http://www.icir.org/johanna SSL Client Server Client hello Server hello Certificate (Server Key Exchg) Client Key Exchange Change Cipher Spec

848 views • 66 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL: Secure Sockets Layer v widely deployed security v original goals: protocol Web e-commerce transactions supported by almost all browsers,

609 views • 21 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric

Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric

Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric Rescorla ekr@rtfm.com Indocrypt 2011 Indocrypt 2011 Eric Rescorla 1 Overview Our cryptographic protocols use ancient algorithms In many

860 views • 57 slides
Networking in the Ethos Operating System Jon A. Solworth Dept. of Computer Science and Center

Networking in the Ethos Operating System Jon A. Solworth Dept. of Computer Science and Center

Networking in the Ethos Operating System Jon A. Solworth Dept. of Computer Science and Center for RITES University of Illinois at Chicago Dan Bernstein, Tanja Lange, Mike Petullo, Xu Zhang, Wenyuan Fei, Pat Gavin, Andrei Wartekin, Yaohua Li,

676 views • 34 slides
Secure Socket Layer (SSL) and Trnasport Layer Security (TLS) CSE598K/CSE545 - Advanced Network

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS) CSE598K/CSE545 - Advanced Network

547 views • 16 slides
Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure applications: Applicaz. (SHTTP) PGP, SHTTP, SFTP, or SSL/TLS Security down in the TCP protocol stack -SSL between TCP IPSEC and applic. layer

723 views • 59 slides
Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

26. DECUS Symposium Bonn Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation Overview Product information What is the secure sockets layer (SSL)? Overview of SSL/OpenSSL/SSL on OpenVMS

657 views • 26 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
r t rts r

r t rts r

r t rts r t str rtr tt P

1.21k views • 76 slides
A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian

A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian

A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian University of Science and Technology A Perfect Memory.... Britta Hale | Crypto vs. Mass Surveillance Workshop Facebook Google Lule, Sweden Britta

1.04k views • 18 slides
Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

1.45k views • 32 slides
Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17, 2014 Recap & outline Security is hard Cryptography is not security No "security through obscurity" Today:

924 views • 39 slides
MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One

MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One Year Later http://www.cs.stanford.edu/~iliano CS Department, UMBC

679 views • 29 slides
Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf Steinmetz TU Darmstadt - Darmstadt University of Technology, Dept. of Electrical Engineering and Information Technology, Dept. of Computer Science KOM -

2.54k views • 46 slides
A Comparative Review of HTTP/1.1, HTTP/2 & HTTP/3 December 3, 2018 Nancy Mogire WHAT

A Comparative Review of HTTP/1.1, HTTP/2 & HTTP/3 December 3, 2018 Nancy Mogire WHAT

A Comparative Review of HTTP/1.1, HTTP/2 & HTTP/3 December 3, 2018 Nancy Mogire WHAT The Hypertext Transfer Protocol (HTTP) WHAT a stateless application-level protocol for distributed, collaborative, hypertext

749 views • 23 slides
Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication:

Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication:

SSL 1 Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication: basic, digest often supplemented by cookies access control via network addresses multi-layered: SHTTP (secure HTTP) = just

713 views • 32 slides
Sequential techniques for Hypothesis testing & Change detection George V. Moustakides

Sequential techniques for Hypothesis testing & Change detection George V. Moustakides

Sequential techniques for Hypothesis testing & Change detection George V. Moustakides University of Patras Outline Sequential hypothesis testing The Sequential Probability Ratio Test (SPRT) for optimum hypothesis testing

393 views • 27 slides
Image-based change detection to reduce false alarms in the Vision1200 synthetic aperture sonar

Image-based change detection to reduce false alarms in the Vision1200 synthetic aperture sonar

Image-based change detection to reduce false alarms in the Vision1200 synthetic aperture sonar Dr. C. Erdmann and Dr. J. Groen a sound decision a sound decsion The ATLAS ELEKTRONIK Group/ 1 Image-based Change Detection Content

787 views • 36 slides
Effective Change Detection Using Sampling Junghoo John Cho Alexandros Ntoulas UCLA

Effective Change Detection Using Sampling Junghoo John Cho Alexandros Ntoulas UCLA

Effective Change Detection Using Sampling Junghoo John Cho Alexandros Ntoulas UCLA Problem Polling Update Query Local database Remote database Application Web search engines/crawlers Web archive Data warehouse . . .

650 views • 30 slides
Lessons learned from the theory and practice of Simulated data - One change (Signal and spectral

Lessons learned from the theory and practice of Simulated data - One change (Signal and spectral

Lessons learned from the theory and practice of Simulated data - One change (Signal and spectral densities) 2 change detection 1 0 -1 -2 0 200 400 600 800 1000 1200 1400 1600 1800 2000 Mich` ele Basseville 10 10 0 0 IRISA /

427 views • 6 slides
On statistical change detection for FDI Michle Basseville IRISA/CNRS, Rennes, France

On statistical change detection for FDI Michle Basseville IRISA/CNRS, Rennes, France

Overview Changes in mean Changes in spectrum Changes in dynamics and vibration-based SHM Conclusion On statistical change detection for FDI Michle Basseville IRISA/CNRS, Rennes, France Diagnostics of Processes and Systems, Gdansk, 2009

523 views • 34 slides
Privately Detecting Changes in Unknown Distributions Wanrong Zhang, Georgia Tech joint work with

Privately Detecting Changes in Unknown Distributions Wanrong Zhang, Georgia Tech joint work with

Privately Detecting Changes in Unknown Distributions Wanrong Zhang, Georgia Tech joint work with Rachel Cummings, Sara Krehbiel, Yuliia Lut 1 Motivation I: Smart-home IoT devices 2 Motivation II: Disease outbreaks 3 Change-point problem:

846 views • 22 slides

More recommend