TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick...
Transcript of TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick...
![Page 1: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/1.jpg)
TLS 1.3Lessons Learned from Implementing and Deploying the Latest Protocol
Nick Sullivan @grittygrease
November 11, 2016
![Page 2: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/2.jpg)
SP 0:00:00
PLAY
![Page 3: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/3.jpg)
- MENU -
■ PAST
PRESENT
FUTURE
![Page 4: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/4.jpg)
Transport Layer Security
• Point-to-point secure communication protocol
• Client-server model, with server authentication, optional client authentication
![Page 5: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/5.jpg)
OSI Model
![Page 6: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/6.jpg)
Application
Presentation
Session
Transport
Network
Data link
Physical
HTTP
TLS
TCP IP
Ethernet
Physical
Layer 6
![Page 7: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/7.jpg)
Application
Presentation
Session
Transport
Network
Data link
Physical
HTTP
TLS
TCP IP
Ethernet
PhysicalLayer 6
![Page 8: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/8.jpg)
HTTP
SMTP >
gRPC
HTTP
SMTP
gRPC
TLS
>
![Page 9: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/9.jpg)
50% of page loads areHTTPS
![Page 10: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/10.jpg)
The Evolution of T L S
![Page 11: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/11.jpg)
• SSLv1 (1993?) 💩
• SSLv2 (1994) 🌊
• SSLv3 (1995) 🐩
• TLS 1.0 (1999) 👹
![Page 12: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/12.jpg)
• TLS 1.1 (2006) • Lucky 13
• RC4 Biases
• SWEET32
• TLS 1.2 (2008) • Safe with the right configuration
![Page 13: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/13.jpg)
E s s e n t i a l C o m p o n e n t s
• Key Exchange
• Authentication
• Encipherment
![Page 14: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/14.jpg)
T h e T L S 1.2H A N D S H A K E
hello
ServerClient
Newton Image CC 2.0 SA, flickr.com/photos/moparx/5321857668
hello + key share + cert
key share + HMAC
HMAC
request
![Page 15: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/15.jpg)
![Page 16: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/16.jpg)
ECDHE-RSA-AES256-GCM-SHA384
Key Exchange
Authentication
Cipher
K-A-C
![Page 17: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/17.jpg)
K-A-CKAC1
KAC2KAC3
>>>
KAC3
KAC2
KAC4
KAC3<<<
![Page 18: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/18.jpg)
Key Exchange
Static RSA - oldest form, take the pre-master secret and encrypt with the public key of the cert
DH - Diffie-Hellman with arbitrary group for pre-master secret
ECDHE - Diffie-Hellman with elliptic curves for pre-master secret
![Page 19: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/19.jpg)
Key Exchange
Static RSA - No Forward Secrecy. The NSA will retroactively decrypt your conversations.
DH - People choose bad parameters and there’s no way to know.
ECDHE - You’re cool, but drop the old curves.
![Page 20: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/20.jpg)
Who you are is who you are.
Authentication
![Page 21: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/21.jpg)
• Certificate with public key (RSA or ECDSA)
• With RSA PKCS#1 1.5 is known to be fragile but no known direct attacks. PSS would be better.
• ECDSA: just don’t reuse random nonce (Android PRNG, etc.)
• Use a strong hash function, MD5 collisions exist resulting in SLOTH
Authentication in 1.2
![Page 22: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/22.jpg)
• What do you sign?
• Nonces and public key: No authentication of the cipher or curve choices, leading to FREAK, LogJam, CurveSwap
• Extended Master Secret: derive the key from the entire transcript to sure you can’t just choose params so that two connections have the same keys (Triple Handshake)
Authentication in 1.2
![Page 23: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/23.jpg)
Encryption
![Page 24: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/24.jpg)
• CBC-mode ciphers with sign-then-encrypt: BEAST, padding problems galore (Lucky 13), birthday collisions (SWEET32)
• Only stream cipher is RC4: predictable
• TLS 1.2 introduced AEAD: AES-GCM, ChaCha20/Poly1305
![Page 25: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/25.jpg)
Session Resumption
Encrypt the session keys with a session ticket key (STK)
This makes the STK a long-term secret that kills forward secrecy
![Page 26: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/26.jpg)
What is the safe
configuration?
![Page 27: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/27.jpg)
• AEAD cipher (RC4 and CBC vulns)
• EMS (FREAK/LogJam, Triple Handshake, etc.)
• ECDHE (new point per connection)
• Restricted resumption
![Page 28: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/28.jpg)
- MENU -
PAST ■ PRESENT
FUTURE
![Page 29: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/29.jpg)
Fixing T L S
• TLS 1.3 Draft 00 on April 17, 2014
• Currently: Draft 18
• It’s 118 pages vs. 104 for TLS 1.2
![Page 30: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/30.jpg)
• Remove broken cryptography
• Clear, simple to implement specification
• Formal verification
• Backwards compatibility
• Make the handshake faster (more on that)
G O A L S
![Page 31: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/31.jpg)
K,A,CK1 A1 C1
K2 A2 C2K3 C3
>>>
K3,K2
A2
C2,C3
<<< K3,A2,C2
![Page 32: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/32.jpg)
ECDHE (no weak curves)
x25519, x448 for djb hipsters
ffDHE (safe groups)
Key Exchange
![Page 33: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/33.jpg)
RSA-PSS
ECDSA
Entire transcript is signed
Authentication
![Page 34: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/34.jpg)
AEADs only
AES-GCM, ChaCha20-Poly1305
No weak KDFs (SLOTH)
Cipher
![Page 35: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/35.jpg)
![Page 36: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/36.jpg)
T h e T L S 1.3H A N D S H A K E
ServerClient
Newton Image CC 2.0 SA, flickr.com/photos/moparx/5321857668
hello + key share
hello + key share + cert + HMAC
request
![Page 37: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/37.jpg)
T h e T L S 1.3H A N D S H A K E
ServerClient
Newton Image CC 2.0 SA, flickr.com/photos/moparx/5321857668
hello + key share
hello retry request
request
hello + cookie + key share
hello + key share + cert + HMAC
![Page 38: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/38.jpg)
Session Resumption
Encrypt the resumption master secret with a session ticket key
(STK)
New sessions use new key exchange
![Page 39: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/39.jpg)
Building and Deploying
TLS 1.3
![Page 40: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/40.jpg)
Cloudflare´s stack
OpenSSL
|
nginx
|
origin
![Page 41: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/41.jpg)
• Let’s build a TLS 1.3 stack in Go: tls-tris
• Hand off the TCP socket from nginx to a Go-based reverse proxy using tris.
• Inspect first two bytes, if 3.4, send to Go. Go can accept or reject based on customer settings.
Go Go Go
![Page 42: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/42.jpg)
Cloudflare´s stack
OpenSSL
| |
tris nginx
| |
origin
![Page 43: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/43.jpg)
The big launch
![Page 44: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/44.jpg)
Encryption WeekEnabled for >3 million sites
September 20th
![Page 45: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/45.jpg)
![Page 46: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/46.jpg)
• Draft 14 support
• Firefox Nightly and Chrome Canary, but disabled by default
• We only saw around 1 connection per second globally
Launch
![Page 47: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/47.jpg)
![Page 48: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/48.jpg)
• Version number 3.4 breaks >2% of servers
• Chrome could either
• Break these sites
• Implement insecure fallback
• Lobby the IETF to change the negotiation
Version Intolerance
![Page 49: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/49.jpg)
• Version number in Draft 16 is now 3.4
• TLS 1.3 negotiated via an extension
• Our implementation was broken for a week
• SSL Labs is still broken
Version Intolerance
![Page 50: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/50.jpg)
Amazing!
![Page 51: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/51.jpg)
- MENU -
PAST
PRESENT ■ FUTURE
![Page 52: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/52.jpg)
The future of tls-tris
Attempting to upstream to Go standard library
NCC Group audit
![Page 53: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/53.jpg)
• Chrome Canary enabled field test
• Firefox Nightly enabled by default
• Firefox 52 (March 2017) on by default
• OpenSSL 1.1.1 in 6 months
• Draft 18 submitted for last call
• Final submission IESG: January 2017
![Page 54: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/54.jpg)
T h e T L S 1.30-RTT H A N D S H A K E
ServerClient
Newton Image CC 2.0 SA, flickr.com/photos/moparx/5321857668
hello + key share + request
hello + key share + cert + HMAC + response
![Page 55: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/55.jpg)
![Page 56: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/56.jpg)
0-RTT Is Replayable
• Requests should be idempotent
• Idempotent requests can leak data
• Small time window
![Page 57: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/57.jpg)
0-RTT Attack
Server
Client
hello + key share + POST requestDB
hello + key share + POST request
Attacker
![Page 58: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/58.jpg)
0-RTT Attack
Server
Client
hello + key share + GET request
hello + key share + GET request
Attackerhello + key share + cert + HMAC +
response
![Page 59: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/59.jpg)
–Tim Cook on encryption
“It’s a superb thing.”
![Page 60: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/60.jpg)
SP 0:40:00
STOP
![Page 61: TLS 1 - DeepSec · TLS 1.3 Lessons Learned from Implementing and Deploying the Latest Protocol Nick Sullivan @grittygrease November 11, 2016. SP 0:00:00 PLAY - MENU - PAST PRESENT](https://reader033.fdocuments.in/reader033/viewer/2022042223/5ec99d47398c1c271618fce5/html5/thumbnails/61.jpg)
TLS 1.3Lessons Learned from Implementing and Deploying the Latest Protocol
Nick Sullivan @grittygrease
November 11, 2016