Was ist neu bei TLS 1.3? - FRAOSUG · • TLS 1.3 protects the negotiated data as soon as it is...

History Crypto Primitives TLS < 1.3 Hands on Bibliography

Was ist neu bei TLS 1.3?TSLv1.3 – 21nd Century Internet Transmission Security

Dr. Erwin Hoffmann

November, 20th, 2018

1 / 23


Todays Agenda

• History of TLS and it’s cryptographic concepts• Working model of former TLS implementations• Changes done for TLS 1.3• OpenSSL 1.1.1 under OmniOSce• Installation of fehQlibs + ucspi-ssl• Protocol analysis using WireShark and ’testssl’

TLS 1.3. has been published in RFC 8446 after years of discussion in the IETFin August 2018. Since September 2018 OpenSSL 1.1.1 is available supportingTLSv1.3. My software ucspi-ssl-0.10 is OpenSSL 1.1.1 enabled and used heretogether with OmniOS (r15028).

2 / 23

https://tools.ietf.org/html/rfc8446

https://www.fehcom.de/ipnet/ucspi-ssl.html


Internet security protocols

Transport Layer Security (TLS) – aka Secure Socket Layer (SSL) – is a fundamentalIT security concept and in particular used for Web encryption (HTTPS) and encryptedemail transmission (ESMTPS/ESMTP+StartTLS).

Dark FiberBit transmission PHYPHY

MAC MAC

IP IP

TCP/UDP TCP/UDP

TLSTLS TLS Tunnel

Router function

HTTPS HTTPS

SSH SSHprotected TLS end-to-end transmission

protected messages

IPsec packets

TLS-Records

Message User (authenticated)

Application

Instance(stateful)

Instance(stateless,stateful)

Instance (authenticated)

Security Association via IPsec

MAC framesMACsec WPA(2)

Wireless

Figure: IT security protocols in a layered view

↪→ The cryptographic framework and routines are also used for SSH, PGP, IPSec andWiFi (WPA2), though in a different context.

3 / 23


Development of cryptographic standards and protocols

Dark FiberBit transmission PHYPHY

MAC MAC

IP IP

TCP/UDP TCP/UDP

TLSTLS TLS Tunnel

Router function

HTTPS HTTPS

SSH SSHprotected TLS end-to-end transmission

protected messages

IPsec packets

TLS-Records

Message User (authenticated)

Application

Instance(stateful)

Instance(stateless,stateful)

Instance (authenticated)

Security Association via IPsec

MAC framesMACsec WPA(2)

Wireless

Figure: Cryptographic standards since the Unix epoch

4 / 23


The #4 Crypto Primitives

Internet

CA’sprivate key

σ: Signature Primitive

DSA, DSS

!: Ke

y Ex

chan

ge P

rim

itiv

e

RSA

, Dif

fie-

Hel

lman

: En/Decryption PrimitiveC

Block + Stream ciphers (AES, ChaCha)

MD

5, S

HA

, Pol

y130

5

h : H

ash

Prim

itiv

e

Bob’sprivate key

public keyBob’s

public keyCA’s

CertificateAuthority (CA)

Asymmetricalcrypto

Symmetricalcrypto

BobAlice

Figure: The #4 crypto primitives5 / 23


TLS Use Cases

EHLO client220 hostname EMSTP

250-hostname250-PIPELINING250-8BITMIME250-SIZE 0250-AUTH LOGIN250 STARTTLS

TCP SYN

STARTTLS220 Ready to start TLS

SMTP-Server

TCPListenPort 25

Internet

EHLO client220 hostname EMSTP

250-hostname250-PIPELINING250-8BITMIME250-SIZE 0250 AUTH LOGIN

TCP SYN

SMTP-Client(MUA)

SMTPS-ServerTCPListenPort 465

TLS Tunnel

Internet

a) b)

TLS Handshake

TLS TunnelTLS Handshake

SMTP-Client(MUA)

Figure: Immediate TLS and delayed TLS encryption; aka STARTTLS / STLS

• Immediate/mandatory TLS encryption: HTTPS, SMTPS, LDAPS, IMAPS,POP3S, QMTPS

• Delayed/optional TLS encryption: ESMTP + StartTLS, POP3 + STLS

6 / 23


TLS Networking Layering

Internet Protocol (IP)Transmission Control Protocol (TCP)

HTTP, SMTP, LDAP, ...

Application protocolTLS Record Layer Protocol

AlertChange CipherSpec

Hand-shake

Heart-beat

(Type 24) (Type 22) (Type 20) (Type 21)(Type 23)

User Datagram Protocol (UDP)

Figure: TLS protocol layering

• TLS is located on top of TCP/UDP (layer 4+5) and below the application layer(7).

• It provides a ’mini’ layering.• The Record layer can be considered as transmission layer: The workhorse.• Handshake, Change Cipher and Alert messages are mostly un-encrypted (using a

NULL-encryption).• The Application messages are encrypted and protected.• The Heartbeat Protocol was added in 2011 with only rough evaluation (and fatal

consequences).7 / 23


The #4 Crypto Primitives within TLS < 1.3: The HandshakeTLS < 1.3 provides three different ways of handshakes:

• RSA handshake usingstatic RSA public andprivate keys (the RSApublic key is part of theX.509 certificate).

• Diffie-Hellman using theDiscrete Logarithmalgorithm (DHE) whileproviding ephemeral keys.The DH parameters canbe configured andchanged frequently.

• Diffie-Hellman withElliptic CurveCryptography (ECDHE).Curves and the DHparams (as starting pointfor the calculation aretypically fixed by theimplementation.

Internet (TLS-)Server(TLS-)Client

123

5678

910

ClientHelloServerHelloCertificate

ServerHelloDoneClientKeyExchangeChangeCipherSpecFinished

ChangeCipherSpecFinished

TCP segment TCP

segment=

IP packet

secured TLS connection

4ServerKeyExchange

TCP Three Way Handshake

TCP segment

TCP segment

Figure: TLS handshake message exchange

8 / 23


The #4 Crypto Primitives within TLS < 1.3: EncryptionTLS as the successor of SSL supports different sets of symmetrical de/encryption:Block ciphers:

• 64 bit key-length ��DES• 128 bit key-length ��3DES• 128, 256, 384, 512 bit key-length AES

↪→ The Block Ciphers are often used in ’stream-ing mode’: CBC, OFB, GCM.

Stream ciphers:• 40 + 128 bit key-length ��RC4• ChaCha20 (with TLS 1.2)

Symmetrical En-/De-cryption

Block Cipher

Stream Cipher

Feistel Chiffres (DES, 3DES,Lucifer, TEA)

Rijndael Chiffres (AES, Blowfish,

Serpant, Idea)

Cipher stream (RC4, A5/1+A5/2) One Time Pad

ECB CBC CFB S-Box LFSR NFSR

IV

+

common secret key Input data

Encryption-algorithm/implementation

Operations mode GCM

Cipher stream generation

fixed key

pseudo-random key

Steps:

Figure: TLS symmetric encryption9 / 23


The #4 Crypto Primitives within TLS < 1.3: Integrity Check

• TLS (1.2) uses a keyword authenticated hash to provide authenticity and integrityfor the data: Message Authentication Code (keyed MAC).

• Since TLS employs both stream and block encryption, hashing is done per TLSrecord prior of encryption: MAC-then-encrypt (MtE).

MACMessage(s)

RLHeader

Length (2 Byte)Version (2 Byte)Protocol (1 Byte)

encrypted (optional)

Hashvalue

MP

Padding(optional )

Protocol =

MAC

Data of the application protocol

CompressionSegment

MACcalculation

Encryption

Record Layer Frame

Record LayerHeader

Segment Segment

Authkey

Sessionkey (+IV)

PL

20: ChangeCipherSpec Protocol21: Alert Protocol22: Handshake Protocol23: Application Protocol (HTTP, ….)24: Heartbeat Protocol (DTLS; maybe also TLS)

Figure: Checking the integrity of transmitted data

10 / 23


The #4 Crypto Primitives within TLS < 1.3: Cipher Suites• Crypto primitives used for the current session are provided as Cipher Suite.• The TLS protocol enumerates the sets fo crypto primitives.

TLS _KeyExchange+Authentication Encryption+Operational mode MAC

RSADH/DHEECDH

Null*RC4(_40/_56/_128)DES(_40/_56)3DES_EDE(3)AES(_128/_256/_512)RC2(_128/_256)SEEDCAMILLA

ECB(default)CBCGCM

Anonymous DHRSARSA (Export)DSADSSECDSA

NullMD5SHA(1)SHA256SHA384

*) Stream cipher;all others:Block ciphers

__

Figure: TLS Cipher Suites [RFC 3268]

CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 };

CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 };CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 };CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 };CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 };CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A };

11 / 23



TLS < 1.3: Keymaterial and Keys• TLS uses a variety of hash functions to derive deterministically the

PreMasterSecret and the Session keys from the input material.• Hash functions are used to ’diffuse’ the input and thus pseudo random sequences

with significant entropy are the result.• This is called a ’Pseudo Random Function’ PRF.

ServerRandom ClientRandom'A' SHA

MD5

PreMasterSecret Hash

SHA

SHA

MD5

PreMasterSecret Hash

PreMasterSecret Hash MD5

Hash Hash Hash

Hash Hash Hash

PreMasterSecret ServerRandom ClientRandom'BB'

PreMasterSecret ServerRandom ClientRandom'CCC'

Hash HashHash

3 * 128 bit

} } }

MAC Secret Session Secret IV

Client Server Client Server Client Server

Initialisation vector IV: a) For Stream ciphers - or - b) for CBC/GCM operation mode

PreMasterSecret

Figure: Generating the PreMaster and the Session secrets

↪→ Given RSA encryption, the only ’random’ number is the client’s random providedduring the handshake. For Diffie-Hellman, client and server deliver a random value.

12 / 23


TLS < 1.3: Weaknesses

• Backward compatibility with ancient SSL 2.0 (older versions): Renegotiation.• ’Export ciphers’ suited for NSA de-cryption.• Control messages (Alerts, CCS) transmitted in clear text.• No particular state model, thus attacker can interrogate at any point.• Some Cipher suites (in particular with CBC) are weak or even bad.• Very little control on negotiated Cipher suites (mod_ssl).• Handshake is slow.• Session Resumption with persistent data.• Handshake can be broken up (MitM).• MtE delivery valuable information for a hacker given its data decryption.

↪→ TLS (as successor of SSL) is broken by design; it is ’just’ working and deployed ...everywhere.

13 / 23


TLS 1.3 – SummaryAfter years of discussion, the IETF released TLS 1.3 in RFC 8446 (and RFC 8447.

• The TLS 1.3 core is a complete redesign.• Compatibility with older TLS version is provided supporting its ’skeleton’

behaviour and faking a TLS 1.2 handshake.• As already used in previous TLS releases, TLS 1.3 uses the ’Hello Message’ to

transport the new parameters.• ECDHE key exchange is mandatory and the only one!• TLS uses only a very restricted set of Cipher Suites.• Those Ciphers Suites (apart from AES and GCM) are mainly based on Dan

Bernstein’s developments.• TLS 1.3 protects the negotiated data as soon as it is possible during the

handshake.• ’Early’ Application Data can be transmitted in the handshake.• The handshake in TLS 1.3 is much more efficient and – using Session Resumption

– provides a 0RTT capability.

↪→ Though trying to cope with older TLS versions, TLS 1.3 is a different beast. Some’Middleboxes’ don’t allow to let the TLS 1.3 traffic through, since it does not look likeas expected.

14 / 23




TLS 1.3 – HandshakeThe TLS 1.3 is much more efficient using an early encryption scheme.

Internet (TLS) Server(TLS) Client

1

Finished (HKDF/Handshake)

Message

2a

TCP Session established

a)

Version = 3.3, Random, Nonce, Cipher Suites, C = 0,

ClientHello

Version = 3.3, Random, SessionID, Cipher Suite, C = 0,

ServerHello

Certificate Verify (signature TH)Certificate

3 Finished (HKDF/Handshake)

Generates Master & Session keys

TLS Connection

Verifies CertificateGenerates Master & Session keys

Internet (TLS) Server

(TLS) Client

1

Finished (HKDF/Handshake)

MessageTCP Session established

b)

Certificate Verify (signature TH)Certificate

Finished (HKDF/Handshake)TLS Connection

Certificate Request

CertificateCertificate Verify (signature TH)

Version = 3.3, Random, Nonce, Cipher Suites, C = 0,

ClientHello

Version = 3.3, Random, SessionID, Cipher Suite, C = 0,

ServerHello

Key

Exc

hang

eAu

then

ticat

ion

Message

2b2c2d

2a

2b2c2d2e

3a

3c3b

Extensions: ’x304’, ALPN

Extensions: ’x304’, ADP

Extensions: ’x304’, ALPN

Extensions: ’x304’, ADP

en-crypted en-

crypted

HKDF(shared secret,“s/c hs traffic“,TH)HKDF(shared secret,“c/s app traffic …“,TH)

Traf

fic ke

y

Application key

Figure: TLS 1.3 Handshake; (a) without and (b) with Client Certificate Request; ALPN: ApplicationLayer Protocol Notifications

Only three messages are exchanged:Client → Server The (unencrypted) Client Hello message.Server → Client The Server Hello message: The first part including protocol artefacts in

clear text; the further parts are encrypted with a provisional secret(Traffic Key) covering in particular the X.509 cert.

Client → Server The encrypted Finish message, telling that the Application Key isready for use. 15 / 23


TLS 1.3 – Cipher Suites

TLS _KeyExchange+Authentication Encryption+Operational mode MAC

ECDHENullAES_128_GCM_SHA256 AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256AES_128_CCM_SHA256 AES_128_CCM_8_SHA256

SHA-256SHA-384

__

secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),x25519(0x001D),x448(0x001E)

Figure: TLS 1.3 Cipher Suites

CipherSuite TLS_AES_128_GCM_SHA256 {0x13,0x01}CipherSuite TLS_AES_256_GCM_SHA384 {0x13,0x02}CipherSuite TLS_CHACHA20_POLY1305_SHA256 {0x13,0x03}CipherSuite TLS_AES_128_CCM_SHA256 {0x13,0x04}CipherSuite TLS_AES_128_CCM_8_SHA256 {0x13,0x05}

Note: CCM = Cipher Block Chaining - Message Authentication Code (CBC-MAC)

↪→ No particular Authentication method is indicated. Apart from PSK all TranscriptMessages are authenticated requiring a valid server X.509 certificate.

openssl ecparam -list_curves

16 / 23


TLS 1.3 – Record Layer

MACMessage(s)

RL-Header

Length (2 Byte)Version (2 Byte)Content type (1 Byte)

encrypted (optional)

Hashvalue

MP PL

Padding(optional )

HMAC

Application data

CompressionSegment

MAC-calculation

Encryption

Record Layer Frame

Record LayerHeader

Segment Segment

a) b)

Message(s)

Length (2 Byte)Version = x’303’Content type (1 Byte)

Zero

Application data

Segment

AEADencryption

Record Layer Frame

Record LayerHeader

Segment Segment

d)

c)

Paddingoptional

SecretNonceAdditional data

Content type Padding length (1 Byte)

Figure: TLS 1.3 a) Record layer structure w and c) w/o MAC, b) Record with MAC, d) Record withAEAD

17 / 23


TLS 1.3 – Keys

HKDF-Extr.Handshake

SecretHandshake Secret,

„s hs traffic“,TSH(HelloMessages)

Handshake Secret, „c hs traffic“,

TSH(HelloMessages)

HKDF-Extr.Master Secret

Master Secret, „c ap traffic“,

TSH(HelloMessages)

Master Secret, „s ap traffic“,

TSH(HelloMessages)

Master Secret, „exp master“,

TSH(HelloMessags)

Master Secret, „res master“,

TSH(HelloMessages)

HKDF-Extr.Early Secret

Early Secret, „c e traffic“,

TSH(ClientHello)

Early Secret, „ext binder |

res binder“, „∅“

Early Secret, „e exp master“,

TSH(ClientHello)

(EC)DHESecret

Early Secret, „derive“, „∅“

Pre Shared Keys

Handshake/Key Exchange

Traffic En/Decryption

binder key(Label)

Client Early Traffic Secret

Early Exporter Master Secret

Client Traffic Handshake Secret

Server Traffic Handshake Secret

Client ApplicationTraffic Secret_0

Server ApplicationTraffic Secret_0

Exporter Master Secret

PSK | 0

Resumption Master Secret

0

DerivedSecret

DerivedSecret

Handshake Secret, „derive“, „∅“

0

none

-de

term

inis

tic

Key GenerationPipeline

Session ResumptionPRF Exporter

itera

tive

key

gene

ratio

n

stateful key usage

Figure: TLS 1.3 Key generating procedure using HKDF18 / 23


TLS 1.3 – PSK & 0RTT and Grease

Session Resumption is possible withinTLS 1.3 provided, both client andserver store the negotiated secret (per-sistently):Pre-shared Keys (PSK).

The PSK secret is indicated in the ClientHello message providing a hash of thePSK and coupled with the identity of theclient.

↪→ In this case, a TLS session can lit-erally succeed in one step, thus 0-RTT.However, this breaksPerfect Forward Secrecy (PFS)

Grease:Generate Random Extensions AndSustain Extensibility can applied byclient or server to ’test’ the counter-parts TLS 1.3 capabilities indicating’invalid’ Cipher Suites in the Hellomessage.

Internet

(TLS) Server

(TLS) Client

1Message

2


Versions= 3.3, Random, Nonce, CipherSuites, Compression = 0

ClientHello

Version = 3.3, Random, SessionID,Cipher Suite, Compression = 0

ServerHelloRetry

Supported Vers: …Key Share Hello Retry Request: x25519

Supported Vers: ’x304’Grease Supported Groups: x25519, secp256r1, …Key Share Entry: GreaseKey Share Entry: x25519 cd34bb1ac39….

Exte

nsio

ns

matching

k

Finished (HKDF/Handshake)TLS Connection

3

Ticket Lifetime, Ticket AgeTicket Nonce, Ticket …., Extensions

New Session TicketStores PSK-Label& Session keys

Figure: TLS 1.3 using Pre-shared Keys 19 / 23


TLS 1.3 – 1RTT

Session establishment can be acceler-ated in case both client and server don’tneed to negotiate the Cipher, but ratherprovide a quick focus: 1-RTT.

In this case, the client indicates to theserver to know already the (otherwisetransmitted) DH-Params and the cho-sen curve (for ECC) for a quick negoti-ation.

↪→ However, the server may havechanged its DH-Params, thus this pro-cedure would not work out. Rather,in this case, the server sends a HelloRetry message telling the new DH-Params. This procedure obviously doesnot violate PFS, since only protocolartefacts are provided by the client.

Internet (TLS) Server

(TLS) Client

1aMessage

2a


Versions= 3.3, Random, Nonce, CipherSuites, Compression = 0

ClientHello

Version = 3.3, Random, SessionID,Cipher Suite, Compression = 0

ServerHelloRetry

Supported Vers: …Key Share Entry: x25519Key Exchange: ef1bc93..

Exten

sions

2bApplication Data (23)

matching

1b Early Data (23)

Key Share Entry: x25519cd34bb1ac39….PSK Kex Exchange Modes:psk_dhe_kePSK Identity: identity, obfuscated ticket agePSK Binder: HMACsOffered PSK:identity, binders

Figure: TLS 1.3 using 1-RTT message exchange

20 / 23


Commercial spot

AU

TOR

ENH

EAD

LIN

E

Inklusive: Kapitel zum Internet of Things

anatol BADACH erwin HOFFMANN

Technik der IP-NETZE

INTERNET-KOMMUNIKATION IN THEORIE UND EINSATZ

4. Aufl age

Figure: Technik der IP-Netze (4th edition)

21 / 23


Implementation

OpenSSL 1.1.0:• Install OpenSSL 1.1.1 on OmniOSce – however without overwriting previous Libs.• How to tell which OpenSSL is installed?

fehQlibs + ucspi-ssl:• Install fehQlibs (under /usr/local).• Install ucspi-ssl using fehQlibs and OpenSSL 1.1.1.• How can you tell that OpenSSL 1.1.1 is in use for a client/server?

testssl:• Install Dirk Wetter’s ssltest from https://github.com/drwetter/testssl.sh• Test TLS 1.3. for some sites (including Google and fehcom).

WireShark:• Install WireShark (> 2.5).• Record a TLS 1.3 connection setup and do an interpretation of the negotiation.

22 / 23

https://github.com/drwetter/testssl.sh


Bibliography

• RFC 8446• RFC 8447• https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08

23 / 23



https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08

Was ist neu bei TLS 1.3? - FRAOSUG · • TLS 1.3 protects the negotiated data as soon as it is...

Documents

Transcript of Was ist neu bei TLS 1.3? - FRAOSUG · • TLS 1.3 protects the negotiated data as soon as it is...