Getting TLS Right

Transcript

1. Getting TLS Right Zack Tollman @tollmanz

2. None

3. “Pervasive monitoring is a technical attack that should be mitigated

   in the design of IETF protocols, where possible.” — IETF https://tools.ietf.org/html/rfc7258

4. “Today we are announcing our intent to phase out non-secure

   HTTP” — Richard Barnes, Firefox Security Lead https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

5. HTTP/2 is TLS only in Chrome and Firefox https://wiki.mozilla.org/Networking/http2

6. Now Later Less TLS More TLS

7. TLS knowledge is now essential

8. We are bad at TLS

9. 78% of sites are not secure https://www.trustworthyinternet.org/ssl-pulse/

10. 432 heartbleed vulnerabilities (0.3%) https://www.trustworthyinternet.org/ssl-pulse/

11. 97% do not support HSTS https://www.trustworthyinternet.org/ssl-pulse/

12. 37% do not support Perfect Forward Secrecy https://www.trustworthyinternet.org/ssl-pulse/

13. “misconfiguration errors are undermining the potential security” — Kranch &

    Bonneau (2015) http://www.internetsociety.org/sites/default/files/01_4_0.pdf

14. “industry-wide configuration problem with the deployment of DHE key exchange”

    — Huang, Adhikarla, Boneh, & Jackson (2014) http://www.w2spconf.com/2014/papers/TLS.pdf

15. We don’t seem to understand TLS

16. Let’s fix that

17. Quick Note on TLS and SSL

18. function capital_TLS_dangit( $content ) { return str_replace( array( 'SSL', 'Secure

    Sockets Layer' ), array( 'TLS', 'Transport Layer Security' ), $content ) }

19. SSL v2 SSL v3 TLS v1 TLS v1.1 TLS v1.2

    1995 1996 1999 2006 2008

20. Encryption Integrity Authentication Key Exchange

21. Authentication

22. Is the server the intended server?

23. Chain of trust

24. End Certificate *.wordpress.com Signing algorithm Signature Public Key Public Exponent

25. End Intermediate Certificate CA certificate Signature

26. End Root Certificate In browser Signature Intermediate

27. End Intermediate Root Trusts Trusts

28. Integrity

29. Is the message received the message sent?

30. Data Data

31. Data Data Hash Encrypt

32. Data Data Hash Encrypt Encrypt

33. Data Data Hash Encrypt Encrypt Receiver

34. Receiver has encrypted hash and encrypted data

35. E-Hash E-Data

36. E-Hash E-Data P-Hash P-Data

37. E-Hash E-Data P-Hash P-Data Hash

38. Hash Hash =

39. Encryption

40. Converts plaintext to ciphertext

41. Y B B C P B A S

42. Y B B C P B A S L O

    O P C O N F

43. A B C D E F N O P Q

    R S +13

44. Algorithm: Letter + 13 = Cipher Letter

45. Substitution Cipher Caesar Cipher

46. Key

47. Key 13

48. Weak cipher

49. Secrecy in algorithm is a problem

50. Secrecy in key is better

51. Advanced Encryption Standard - Rijndael http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

52. Many rounds of substitution and permutations

53. Key Exchange

54. How do we establish an encryption key for 2 unknown

    parties over an insecure connection?

55. http://en.wikipedia.org/wiki/Enigma_machine#/media/File:Kenngruppenheft.jpg Ben Slivka

56. Couriers delivered the daily keys

57. http://en.wikipedia.org/wiki/Jeff_Bezos#/media/File:Jeff_Bezos%27_iconic_laugh.jpg

58. Doesn’t work for the modern web

59. Diffie-Hellman-Merkle key exchange

60. Each individual has a key by the time the process

    is complete

61. Demo

62. s is a premaster secret from which the master secret

    is derived

63. Master secret is the key used for encryption

64. Trapdoor functions

65. Easy one way

66. Impossibly difficult the other way

67. If a, b, g, or p are different, s is

    different

68. Perfect forward secrecy

69. Lavabit

70. I failed to update the Lavabit SSL configuration to prefer

    ciphers that provided perfect forward secrecy. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

71. Cipher Suites

72. Combination of algorithms for authentication, integrity, encryption, and key exchange

73. ECDHE-RSA-AES128-GCM-SHA256

74. ECDHE-RSA-AES128-GCM-SHA256 Key Exchange

75. ECDHE-RSA-AES128-GCM-SHA256 Certificate signing algorithm (Authentication)

76. ECDHE-RSA-AES128-GCM-SHA256 Cipher (Encryption)

77. ECDHE-RSA-AES128-GCM-SHA256 Message authentication code (Integrity)

78. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA

79. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA

80. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128- GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH +AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA- AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-

    SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256- SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:! EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES- CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3- SHA
81. None
82. None

83. TLS Handshake

84. Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec

    Finished Application Data

85. 1. Client hello Cipher suites TLS version Random bytes Client

    -> Server

86. 2. Server hello Cipher suite choice TLS version choice Server

    -> Client

87. 3. Certificate Certificate chain sent Cert signature matches auth algorithm

    Server -> Client

88. 4. Server Key Exchange Info for key exchange Server ->

    Client

89. 5. Server Hello Done Server has sent all info Server

    -> Client

90. 6. Client Key Exchange Info for key exchange Client ->

    Server

91. 7. Change Cipher Spec Enough info for encryption Switch to

    encryption Client -> Server

92. 8. Finished Signals that handshake is done Client -> Server

93. 9. Change Cipher Spec Server -> Client

94. 10. Finished Server -> Client

95. TLS Handshake demo with Wireshark

96. Configure TLS with Nginx

97. All configuration in server block

98. ssl on;

99. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

100. ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM- SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128- GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA- AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE- RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-

     AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128- SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256- SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256- GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:! aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:! aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3- SHA:!KRB5-DES-CBC3-SHA

101. ssl_prefer_server_ciphers on;

102. ssl_certificate /path/to/ certificate.crt; ssl_certificate_key /path/to/ private-key.key;

103. istlsfastyet.com https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

104. HTTP Strict Transport Security

105. SSL Stripping http://www.thoughtcrime.org/software/sslstrip/

106. What if HTTP variant was never accessed?

107. HSTS blocks browser from HTTP version of site

108. Set HSTS only after mixed content issues are resolved

109. add_header Strict-Transport- Security 'max-age=31536000; includeSubDomains';

110. Mixed Content

111. HTTP assets in HTTPS page is an attack vector

112. Content Security Policy

113. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

114. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

115. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

116. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

117. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

118. Content-Security-Policy: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self' https:;

     style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com

119. Content-Security-Policy-Report- Only: default-src 'self' https:; font-src https:// fonts.gstatic.com; img-src 'self'

     https:; style-src ‘self' https: https://fonts.googleapis.com; script-src 'self' https: https://ssl.google-analytics.com; report-uri /beacon.php

120. upgrade-insecure-requests coming soon http://www.w3.org/TR/upgrade-insecure-requests/

121. TLS Configuration Needs Maintenance

122. A theoretical weakness became practical. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

123. I missed that development. — Ladar Levison http://arstechnica.com/security/2013/11/07/op-ed-lavabits-founder-responds-to- cryptographers-criticism/

124. tollmanz.com/loopconf-2015 @tollmanz