TLS 1.3: What developers should know about the APIs Daiki Ueno - - PowerPoint PPT Presentation

TLS 1.3: What developers should know about the APIs

Daiki Ueno

Red Hat Crypto team

TLS 1.3: RFC 8446

Published in August 2018

– Low latency – More security – Cleaner protocol

Low latency: 1-RTT handshake

applicatjon traffjc key exchange & authentjcatjon authentjcatjon* + client Finished

TLS 1.2: 2-RTT TLS 1.3: 1-RTT

More security

• No RSA / statjc DH key exchange
• Legacy algorithms were removed
• All symmetric ciphers are AEAD

Protocol refactoring

• Ciphersuites
• Session resumptjon

Ciphersuites

k e y _ s h a r e extension

MAC Algorithm Cipher Algorithm Key Exchange Hash Algorithm Cipher Algorithm (AEAD) Hash Algorithm

TLS 1.2 TLS 1.3

> 100 = 5

Session resumptjon

Client sends the previous session ID

Client and server share the secret 1st connectjon 2nd connectjon

Client keeps the secret

Server stores the state in the session cache

TLS 1.2

Session resumptjon

Session tjcket

Client sends back the tjcket

Client and server share the secret 1st connectjon 2nd connectjon

Client keeps the secret

Server doesn’t need to keep the secret

Forward secure if DHE key exchange is used

TLS 1.3

How can I use TLS 1.3?

• Enabled in major libraries

– OpenSSL, GnuTLS, NSS

• No Litule code changes are needed

– for typical use-cases

• New features need new API

New features

• Post-handshake authentjcatjon
• Key update
• Length hiding
• 0-RTT mode

What is a good API?

• Usability
• Flexibility

Usability

• Easy to use, hard to misuse
• “Hufgman coding” by usage patuern

– Less code for common use-cases

– More code for uncommon use-cases

• Default to be safe

Flexibility

• Scale from embedded to servers

– Decouple resource access from the code – Provide callbacks

• Future proof

– There will probably be TLS 1.4 – Don’t assume parameters are fjxed

What is a good API?

Christoph Strässler (CC-BY-SA 2.0)

Usability Flexibility

Existjng design choices

• I/O abstractjon

– Generic I/O used for both TLS and non-TLS

• Handshake

– Explicitly triggered or implicitly during I/O

• Resumptjon data

– Manually or automatjcally tracked

Existjng design choices

I/O abstractjon Handshake Resumptjon data

OpenSSL

Yes (BIO) Implicit / explicit Automatjc (cached per-ctx)

GnuTLS No

Explicit Manual

NSS

Yes (NSPR) Implicit / explicit Automatjc (cached per-process)

New features, new API

• Post-handshake authentjcatjon
• Key update
• Length hiding
• 0-RTT mode

Post-handshake auth

• The server can request

client-auth at any tjme with a CertjfjcateRequest message

• Re-associate client’s identjty

with a difgerent certjfjcate

• Can delay client

authentjcatjon untjl a resource is actually requested

CertjfjcateRequest Certjfjcate CertjfjcateVerify

Post-handshake auth

/ * c l i e n t : i n d i c a t e p

• s

t h a n d s h a k e a u t h * / S S L _ s e t _ p

• s

t _ h a n d s h a k e _ a u t h ( c l i e n t , 1 ) ; / * s e r v e r : r e q u e s t p

• s

t h a n d s h a k e a u t h * / S S L _ v e r i f y _ c l i e n t _ p

• s

t _ h a n d s h a k e ( s e r v e r ) ; / * c l i e n t : i n d i c a t e p

• s

t h a n d s h a k e a u t h * / g n u t l s _ i n i t ( & c l i e n t , . . . | G N U T L S _ P O S T _ H A N D S H A K E _ A U T H ) ; / * s e r v e r : r e q u e s t p

• s

t h a n d s h a k e a u t h * / g n u t l s _ r e a u t h ( s e r v e r , ) ;

Not implemented

Key update

KeyUpdate KeyUpdate

• Peers can update traffjc

keys with a KeyUpdate message

• There is a limit of data that

can be safely encrypted with a single key

– GnuTLS and NSS

implement automatjc key updates

Key update

/ * s c h e d u l e k e y u p d a t e , a n d r e q u e s t t h e p e e r t

• *

u p d a t e t h e i r k e y * / S S L _ k e y _ u p d a t e ( s , S S L _ K E Y _ U P D A T E _ R E Q U E S T E D ) ; / * s c h e d u l e k e y u p d a t e , a n d r e q u e s t t h e p e e r t

• *

u p d a t e t h e i r k e y * / g n u t l s _ s e s s i

• n

_ k e y _ u p d a t e ( s , G N U T L S _ K U _ P E E R ) ; / * s c h e d u l e k e y u p d a t e , a n d r e q u e s t t h e p e e r t

• *

u p d a t e t h e i r k e y * / S S L _ K e y U p d a t e ( s , P R _ T R U E ) ;

Length hiding

2 3 0 x 3 3 l e n g t h

e n c r y p t e d _ r e c

• r

d c

• n

t e n t

c

• n

t e n t t y p e

p a d d i n g P r e v e n t a t t a c k e r s b e i n g a b l e t

• g

u e s s t h e a c t u a l c

• n

t e n t l e n g t h

Length hiding

/ * d e f a u l t t

• p

a d m u l t i p l e

• f

4 9 6 * / S S L _ s e t _ b l

• c

k _ p a d d i n g ( s , 4 9 6 ) ; / *

• v

e r r i d e t h e p a d d i n g w i t h a c a l l b a c k p e r m e s s a g e * / S S L _ s e t _ r e c

• r

d _ p a d d i n g _ c a l l b a c k ( s , p a d d i n g _ c b ) ; / * s e n d a p p l i c a t i

• n

d a t a * / S S L _ w r i t e ( s , d a t a , s i z e ) ; s t a t i c s i z e _ t p a d d i n g _ c b ( S S L * s , i n t t y p e , s i z e _ t l e n , v

• i

d * a r g ) { / * r e t u r n n e w p a d d i n g * / }

Length hiding

/ * s e n d a p p l i c a t i

• n

d a t a w i t h

• u

t p a d d i n g * / g n u t l s _ r e c

• r

d _ s e n d ( s , d a t a , s i z e , ) ; / * s e n d a p p l i c a t i

• n

d a t a w i t h a r b i t r a r y p a d d i n g * / g n u t l s _ r e c

• r

d _ s e n d 2 ( s , d a t a , s i z e , p a d , ) ;

Not implemented

0-RTT mode

resuming handshake early applicatjon data key exchange & authentjcatjon authentjcatjon* + client Finished

TLS 1.3: 1-RTT TLS 1.3: 0-RTT

Even lower latency

0-RTT: Sending

• 1. Check the maximum amount of data

the server would accept

• 2. Send early data
• 3. Check if the server has accepted it;
• therwise re-send the data as 1-RTT

0-RTT: Sending

/ * c h e c k t h e m a x i m u m d a t a t h e s e r v e r w

• u

l d a c c e p t * / m a x s i z e = S S L _ S E S S I O N _ g e t _ m a x _ e a r l y _ d a t a ( S S L _ g e t _ s e s s i

• n

( c l i e n t ) ) ; i f ( s i z e > m a x s i z e ) r e t u r n

• 1

; / * c h e c k i f t h e e a r l y d a t a w a s a c c e p t e d * / s t a t u s = S S L _ g e t _ e a r l y _ d a t a _ s t a t u s ( c l i e n t ) ; i f ( s t a t u s ! = S S L _ E A R L Y _ D A T A _ A C C E P T E D ) { / * e a r l y d a t a w a s r e j e c t e d ; r e s e n d i t a s 1

• R

T T * / S S L _ w r i t e ( c l i e n t , d a t a , s i z e ) ; } / * s e n d e a r l y d a t a b e f

• r

e h a n d s h a k e * / S S L _ w r i t e _ e a r l y _ d a t a ( c l i e n t , d a t a , s i z e , & w r i t t e n ) ; / * d

• h

a n d s h a k e , e i t h e r e x p l i c i t l y

• r

i m p l i c i t l y * /

❶ ❷ ❸

0-RTT: Sending

/ * c h e c k t h e m a x i m u m d a t a t h e s e r v e r w

• u

l d a c c e p t * / m a x s i z e = g n u t l s _ r e c

• r

d _ g e t _ m a x _ e a r l y _ d a t a _ s i z e ( c l i e n t ) ; i f ( s i z e > m a x s i z e ) r e t u r n

• 1

; / * c h e c k i f t h e e a r l y d a t a w a s a c c e p t e d * / f l a g s = g n u t l s _ s e s s i

• n

_ g e t _ f l a g s ( c l i e n t ) ; i f ( ! ( f l a g s & G N U T L S _ S F L A G S _ E A R L Y _ D A T A ) ) { / * e a r l y d a t a w a s r e j e c t e d ; r e s e n d i t a s 1

• R

T T * / g n u t l s _ r e c

• r

d _ s e n d ( c l i e n t , d a t a , s i z e ) ; } / * s e n d e a r l y d a t a b e f

• r

e h a n d s h a k e * / g n u t l s _ r e c

• r

d _ s e n d _ e a r l y _ d a t a ( c l i e n t , d a t a , s i z e ) ; g n u t l s _ h a n d s h a k e ( c l i e n t ) ;

❶ ❷ ❸

0-RTT: Sending

/ * e n a b l e

• R

T T * / S S L _ O p t i

• n

S e t ( c l i e n t , S S L _ E N A B L E _ R T T _ D A T A , P R _ T R U E ) ; / * c h e c k t h e m a x i m u m d a t a t h e s e r v e r w

• u

l d a c c e p t * / S S L _ G e t R e s u m p t i

• n

T

• k

e n I n f

• (

t

• k

e n D a t a , t

• k

e n L e n , & t

• k

e n , & l e n ) ; i f ( s i z e > m a x s i z e ) r e t u r n

• 1

; / * c h e c k i f t h e e a r l y d a t a w a s a c c e p t e d * / S S L _ G e t C h a n n e l I n f

• (

c l i e n t , & i n f

• ,

s i z e

• f

( i n f

• )

) ; i f ( ! i n f

• .

e a r l y D a t a A c c e p t e d ) { / * e a r l y d a t a w a s r e j e c t e d ; r e s e n d i t a s 1

• R

T T * / P R _ S e n d ( c l i e n t , d a t a , s i z e ) ; } / * s e n d e a r l y d a t a b e f

• r

e h a n d s h a k e * / P R _ S e n d ( c l i e n t , d a t a , s i z e ) ; / * d

• h

a n d s h a k e , e i t h e r e x p l i c i t l y

• r

i m p l i c i t l y * /

❶ ❷ ❸

0-RTT mode: Risks

• No forward secrecy
• Replay atuacks

resuming handshake duplicate ClientHello early applicatjon data

0-RTT: Antj-replay

• Single use tjckets

– OpenSSL

• Client Hello recording

– GnuTLS, NSS

Single-use tjckets

• Record issued session tjckets in DB
• Remove tjcket once it is used

– Not limited to 0-RTT – Session tjckets are long lived: ~1 week

Client Hello recording

i n i tj a l s e s s i

• n

resumptjon with tjcket(T1) T0 T1 T2 W1 tj c k e t ( T 1 ) resumptjon with tjcket(T1)

Client sends duplicated ClientHello

resumptjon with tjcket(T1) with same tjcket age

record ClientHello within a certain tjme window ~10 sec

Client’s view of tjcket age – Server’s view of tjcket age > ~10 sec

0-RTT: Receiving

• 1. Enable 0-RTT with antj-replay
• 2. Accept or reject early data

0-RTT: Receiving

/ * e n a b l e

• R

T T * / S S L _ s e t _ m a x _ e a r l y _ d a t a ( s e r v e r , 6 5 5 3 5 ) ; / *

• p

t i

• n

a l * / / * a n t i

• r

e p l a y m e c h a n i s m i s

• n

b y d e f a u l t , * i m p l e m e n t e d u s i n g s e r v e r s e s s i

• n

c a c h e * /

❶

/ * r e c e i v e e a r l y d a t a , b e f

• r

e a p p l i c a t i

• n

d a t a * / w h i l e ( r e t ! = S S L _ R E A D _ E A R L Y _ D A T A _ F I N I S H ) { r e t = S S L _ r e a d _ e a r l y _ d a t a ( s e r v e r , b u f , s i z e

• f

( b u f ) , & r e a d b y t e s ) ; i f ( r e t = = S S L _ R E A D _ E A R L Y _ D A T A _ S U C C E S S ) / * e a r l y d a t a r e c e i v e d * / ; }

❷

0-RTT: Receiving

/ * e n a b l e e a r l y d a t a r e c e i v i n g * / g n u t l s _ i n i t ( & s e r v e r , . . . | G N U T L S _ E N A B L E _ E A R L Y _ D A T A ) ; / *

• p

t i

• n

a l * / g n u t l s _ r e c

• r

d _ s e t _ m a x _ e a r l y _ d a t a _ s i z e ( s e r v e r , 6 5 5 3 5 ) ; / * s e t u p a n t i

• r

e p l a y m e c h a n i s m * / g n u t l s _ a n t i _ r e p l a y _ i n i t ( & a r ) ; g n u t l s _ a n t i _ r e p l a y _ a d d _ f u n c t i

• n

( a r , a r _ a d d _ f u n c ) ; g n u t l s _ a n t i _ r e p l a y _ s e t _ w i n d

• w

( a r , 1 ) ; / *

• p

t i

• n

a l * / g n u t l s _ a n t i _ r e p l a y _ e n a b l e ( s e r v e r , a r ) ; s t a t i c v

• i

d a r _ a d d _ f u n c ( v

• i

d * p t r , t i m e _ t e x p _ t i m e , c

• n

s t g n u t l s _ d a t u m _ t * k e y , c

• n

s t g n u t l s _ d a t u m _ t * d a t a ) { / * a d d k e y / d a t a i f i t d

• e

s n ’ t e x i s t * / }

❶

0-RTT: Receiving

/ * r e t r i e v e e a r l y d a t a t h r

• u

g h a h a n d s h a k e h

• k

* / g n u t l s _ h a n d s h a k e _ s e t _ h

• k

_ f u n c t i

• n

( s e r v e r , G N U T L S _ H A N D S H A K E _ E N D _ O F _ E A R L Y _ D A T A , h a n d s h a k e _ h

• k

_ f u n c ) ;

❷

s t a t i c i n t h a n d s h a k e _ h

• k

_ f u n c ( g n u t l s _ s e s s i

• n

_ t s e s s i

• n

, u n s i g n e d i n t h t y p e , u n s i g n e d w h e n , u n s i g n e d i n t i n c

• m

i n g , c

• n

s t g n u t l s _ d a t u m _ t * m s g ) { … r e t u r n g n u t l s _ r e c

• r

d _ r e c v _ e a r l y _ d a t a ( s e s s i

• n

, b u f , s i z e

• f

( b u f ) ) ; }

0-RTT: Receiving

/ * e n a b l e e a r l y d a t a r e c e i v i n g * / S S L _ O p t i

• n

S e t ( s e r v e r , S S L _ E N A B L E _ R T T _ D A T A , P R _ T R U E ) ; S S L _ S e t M a x E a r l y D a t a S i z e ( s e r v e r , 6 5 5 3 5 ) ; / *

• p

t i

• n

a l * / / * s e t u p a n t i

• r

e p l a y m e c h a n i s m * N S S i n t e r n a l l y u s e s B l

• m

f i l t e r s t

• d

e t e c t d u p e s * w h e r e k = 7 , b i t s = 1 4 * / S S L _ S e t u p A n t i R e p l a y ( 1 * P R _ U S E C _ P E R _ S E C , 7 , 1 4 ) ;

❶

/ * r e c e i v e e a r l y d a t a a s p a r t

• f

n

• r

m a l d a t a * / P R _ R e a d ( s e r v e r , b u f , s i z e

• f

( b u f ) ) ;

❷

Summary

• TLS 1.3 > TLS 1.2
• TLS 1.3 also brings additjonal features
• Those features need new API
• API designs have reasons behind them

Resources

• TLS 1.3 – OpenSSLWiki

– htups:/

/wiki.openssl.org/index.php/TLS1.3

• GnuTLS and TLS 1.3

– htups:/

/nikmav.blogspot.com/2018/05/gnutls- and-tls-13.html

• NSS

– htups:/

/hg.mozilla.org/projects/nss/raw-fjle/tjp /lib/ssl/sslexp.h