HTTPS & TLS in 2016: Security practices from the front lines

Transcript

1. HTTPS & TLS in 2016 Security prac6ces from the front

   lines Kenneth White, opencryptoaudit.org/people Eric Mill, [email protected] AppSecUSA, Washington October 13, 2016

2. Topics •  What is HTTPS and TLS? •  Making the

   web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs (201) •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A

3. Topics •  What is HTTPS and TLS? •  Making the

   web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A

4. Confidentiality All the network sees are the IP address, port,

   and (with SNI) the domain name.

5. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

   tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity

6. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

   tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity

7. Modern encryption is authenticated. Authentication protects against impersonation. Authentication requires

   tamper-resistance: Hashes Message Authentication Codes (MACs) Nonces Authenticity

8. If you encrypt app data on your network, but don’t

   authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity

9. If you encrypt app data on your network, but don’t

   authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity

10. If you encrypt app data on your network, but don’t

    authenticate it, it’s not your data. Unsigned (or signed-then-encrypted) network packets allow me to become you. Without auth, Admin=0 becomes: Admin=1 Authenticity

11. An example Authenticity

12. Authenticity

13. None
14. None
15. None
16. None

17. Integrity Anyone on the network can freely modify a website

    that isn’t using HTTPS. Using plain HTTP voids any strong privacy or security guarantees a website claims to offer.

18. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A

19. Some history

20. None
21. None
22. None
23. None
24. None
25. None
26. None
27. None
28. None

29. M-15-13: Require Secure Connections

30. https.cio.gov

31. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
32. None

33. http://google.com hopefully https://google.com Without HSTS

34. definitely https://google.com With HSTS

35. HSTS = no clicking through certificate warnings

36. None
37. None

38. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
39. None
40. None
41. None
42. None
43. None
44. None

45. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
46. None
47. None
48. None

49. HTTP/2 From the chair of the HTTP/2 working group:

50. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A
51. None
52. None
53. None
54. None

55. Ivan Ris6c: SSL Threat Model hVps://blog.ivanris6c.com/downloads/SSL_Threat_Model.png

56. Real-world Apache/Nginx TLS

57. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA

58. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA

59. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA

60. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)

61. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA

62. CBC is a problem

63. CBC is a problem

64. Real-world Apache/Nginx TLS PROTOCOL SSL v1 SSL v2 SSL v3

    TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 CIPHER NULL DES 3DES RC4 Twofish Blowfish AES ChaCha20 KEYEX RSA DH DHE ECDH HMAC MD5 SHA-1 SHA-256 SHA-384 SHA-512 Poly1305 MODE ECB CBC GCM OCB AUTH ECDSA RSA Also: HSTS (strict transport security), HPKP (pinning), CT (cert transparency), SNI (virtual hosts)

65. TL;DR

66. Highly Recommended Qualys SSL Labs hVps://www.ssllabs.com/ssltest/ Bulletproof SSL & TLS

    hVps://www.feistyduck.com/books/bulletproof-ssl-and-tls/ Mirage TLS handshake interac6ve server hVps://tls.openmirage.org/ Adam Langley: Matching primi6ve strengths hVps://www.imperialviolet.org/2014/05/25/strengthmatching.html

67. Highly Recommended Mozilla Server-Side TLS/SSL Config Generator hVps://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Security/Server-Side

    TLS Wiki hVps://wiki.mozilla.org/Security/Server_Side_TLS ScoV Helme: Windows TLS config hVps://scoVhelme.co.uk/gecng-an-a-on-the-qualys-ssl-test-windows-edi6on/ ScoV Helme: Let’s Encrypt ECDSA cer6ficates hVps://scoVhelme.co.uk/ecdsa-cer6ficates/

68. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A

69. OpenSSL 1.1 Audit

70. OpenSSL 1.1 Audit Directed by the Open Crypto Audit Project

    (opencryptoaudit.org) Commissioned by Linux Founda6on’s Core Infrastructure IniVaVve (CII) Ambi6ous Scope Independent review Coordina6ng closely with OpenSSL core team Delayed for v. 1.1 maturity (significant refactor) Diverse, complex codebase: Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris) Intel x86 (incl. AES-NI), ARM6/7, MIPS, PowerPC, Alpha… FIPS module

71. OpenSSL 1.1 Audit Major Goals –  Thorough public security analysis

    of the core code in the next major release of OpenSSL –  Demonstrate viability of a reusable open source test harness framework –  Foster web-scale peer-reviewed public tools & data sets for protocol & nego6a6on analysis

72. OpenSSL 1.1 Audit Phase 1 Goals •  BigNum: multiprecision ints,

    constant time, blinding •  BIO (focus on composition & file functions) •  ASN.1 & x509 (cert & key parsing, DER/PEM decoding, structs, subordinate chains) •  93M cert corpus, “Frankencert” fuzzing

73. OpenSSL 1.1 Audit Phase 2 Goals •  TLS state machine

    •  EVP (PKI constructions, H/MACs, envelopes) •  Protocol flows, core engine implementation •  Memory management •  Crypto core (RSA, SHA-2, DH/ECDH, CBC, GGM…)

74. OpenSSL 1.1 Audit Rough metrics: 412-494K total SLOC OpenSSL v.

    1.1 Master (2015-03-14)

75. Landed in 1.1.0 final release OpenSSL 1.1 Audit

76. OpenSSL 1.1 Audit Refactored: BIO networking library (full support for

    IPv6) EVP Bignum Core data structures Record Layer rewrite SSL/TLS state machine Version nego6a6on

77. OpenSSL 1.1 Audit Removed: SSLv2 40- and 56-bit cipher support

    FIPS 140-2 module (but coming soon: hVps://www.openssl.org/blog/blog/2016/07/20/fips/) Kerberos ciphersuite support Removed from DEFAULT ciphersuites: RC4

78. OpenSSL 1.1 Audit Added: AFALG engine (Linux userspace hardware crypto

    via netlink: hVps://lwn.net/Ar6cles/410763/) Asynchronous crypto opera6ons (libcrypto and libssl) CCM (authen6cated) block cipher mode ChaCha/Poly (see: hVps://news.ycombinator.com/item?id=10710140) HKDF (HMAC-based Extract-and-Expand Key Deriva6on Func6on) OCB (authen6cated) block cipher mode Pipelining, Threading API Scrypt Curve25519: (see: hVps://www.ieo.org/mail-archive/web/cfrg/current/msg04996.html)

79. OpenSSL 1.1 Audit OCAP final report by the end of

    this month

80. Topics •  What is HTTPS and TLS? •  Making the

    web HTTPS by default •  HTTP Strict Transport Security (HSTS) •  Cer6ficate Transparency •  Modern deployment (CDNs, HTTP/2, SNI) •  Ciphersuites & Protocols: Interop & Tradeoffs •  The OpenSSL 1.1 Audit •  Closing thoughts and Q&A

81. Closing thoughts and Q&A

82. HTTPS & TLS in 2016 Security prac6ces from the front

    lines Kenn White, [email protected] Eric Mill, [email protected]