Egor Podmokov - TLS from security point of view
Download as PPTX, PDF1 like265 views
This document provides an overview of the Transport Layer Security (TLS) protocol, including its history, purpose, and security issues. It discusses the two levels of TLS (handshake and recording layers), common attacks against previous versions like BEAST and Heartbleed, and the new improvements in TLS 1.3 like 0-RTT handshake and improved security. The goal of TLS is to provide privacy and integrity for communication between applications using encryption negotiated during the handshake and message authentication codes.
![BEAST TLS 1.0
msg segmentation to blocks
[login: *][*******] [*******] …
14](https://image.slidesharecdn.com/tls-170524051025/85/Egor-Podmokov-TLS-from-security-point-of-view-14-320.jpg)
Egor Podmokov - TLS from security point of view
- 1. Podmokov E.V. Go to TLS: information security specialist's view 1
- 2. Agenda • History • What’s it ? • Two levels of TLS • Security • TLS 1.3 2
- 3. History SSL 1.0-3.0 (…-1996) TLS 1.0 or SSL 3.1 (1999) TLS 1.1 (2006) TLS 1.2 (2008) TLS 1.3 (2017!?) tlswg.github.io/tls13-spec 3
- 4. The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session (see TLS handshake protocol). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see Algorithm below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected). The identity of the communicating parties can be authenticated using public- key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server). The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission. What’s it ? 4
- 5. What’s it ? App Presentation Session Phy Transport Network Data Link TLS Higher handshake layer Lower recording layer 5
- 6. Recording 6
- 10. Other • ChangeCipherSpec • Alert • Application Data 10
- 11. Certificate Authority @babayota_kun: habrahabr.ru/post/258285 Chain of trust Certificate Revocation List OCSP 11
- 12. TLS with ГОСТ • ГОСТ Р 34.10-2012 (RFC 7091) electronic digital signature • ГОСТ Р 34.11-2012 (RFC 6986) hash tc26.ru 12
- 13. BEAST TLS 1.0 Browser Exploit Against SSL/TLS Main algo with CBC Ci = E(Key, Mi xor Ci-1) If all msg is equal M1 = Ci-1 xor IV xor P C1 = E(Key, M1 xor IV) = = E(Key, (Ci-1 xor IV xor P) xor IV) = = E(Key, (Ci-1 xor P)) == Сi 13
- 14. BEAST TLS 1.0 msg segmentation to blocks [login: *][*******] [*******] … 14
- 16. BREACH blackhat.com/us-13/briefings.html#Prado MS Outlook WEB Access GET /owa/?ae=Item&t=IPM.Note&a=New&id= canary=<guess> <span id=requestUrl>https://malbot.net:443/owa/forms/ basic/BasicEditMessage.aspx?ae=Item&t=IPM.Note &a=New&id=canary=<guess> </span> ... <td nowrap id="tdErrLgf"><a href="logoff.owa?canary=d634cda866f14c73ac135ae85 8c0d894">LogOff</a></td> Token CSRF 16
- 17. Lucky-13 TLS 1.0-1.2 Padding-oracle based cryptopro.ru/blog/2013/02/19/kriptopro-tls-protiv-schastlivogo-chisla-13 17
- 19. 19
- 20. 20
- 21. 21
- 22. Others FREAK & Logjam POODLE (Padding Oracle On Downgraded Legacy Encryption) - MITM Sweet32 DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) THC-SSL-DOS …. 22
- 23. TLS 1.3 • Not compatible to 1.2 • New handshake • 0-RTT (round-trip time) • metadata 23
- 24. Links • TLS 1.3 tlswg.github.io/tls13-spec • TLS details tls.dxdt.ru/tls.html • DEV literature blog.cloudflare.com/introducing-tls-1-3 • Network blog.fourthbit.com/2014/12/23/traffic- analysis-of-an-ssl-slash-tls-session 24
Editor's Notes
- #16: https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit#slide=id.g1d134dff_1_152
- #17: https://www.blackhat.com/us-13/briefings.html#Prado http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
- #18: ietf.org/proceedings/89/slides/slides-89-irtfopen-1.pdf users.wpi.edu/~teisenbarth/pdf/Lucky13%20AsiaCCS2015.pdf
- #19: http://heartbleed.com/