ssl/tls - wordpress.com · ssl 1.0, 2.0, 3.0 o poodle against rc4 in 2014 o deprecated in june 2015...
Post on 17-Jun-2020
3 Views
Preview:
TRANSCRIPT
1
SSL/TLSSreepriya Chalakkal
2
Network layer
3
Where is it used?
o Web browsing
o Email
o IM
o VoIP
o Internet faxing
o Etc
4
MITM
o Government agencies
o GDHQ, the British spy agency, records all UK internet traffic and keeps it for three days.
o Passive attacks
o Captured traffic
o Could help break encryption
o Active attacks
o Trick authentication
5
Why TLS?
o Confidentiality
o Integrity
o Authentication
o Non-repudiation
6
History
7
SSL 1.0, 2.0, 3.0
o POODLE against RC4 in 2014
o Deprecated in June 2015
TLS 1.0
o No dramatic difference from SSL 3.0
o RFC 2246
8
TLS 1.1
o Added protection against CBC attacks
o Support of IANA registration of parameters
TLS 1.2
o MD5-SHA1 replaced by SHA256o Additional custom parameters (PRF)o Enhancement in the client's and server's ability to specify
which hash and signature algorithms they accept.o GCM and CCM mode of AES
9
TLS 1.3 (working draft)
o Removing support for
o MD5, SHA224, weak elliptic curves
o Prohibiting RC4 or SSL backward compatibility
o Requiring digital signatures even when a previous configuration is used
o Adding of Curve25519 and Ed25519 to the TLS standard
10
Symmetric Encryption
o Fast
o Single key
o Key sharing
o Types: block and stream
o Every connection needs a key
11
Asymmetric encryption
o Two keys: public, private
o Slow
o Key sharing easier
o Deployed for authentication
12
Protocol
Internet
Transport
Handshake
Link
TLS Record Protocol
Change CipherSpec
Alert
Application
13
Handshake
14
15
16
Key exchange
o RSA
o No forward secrecy
o Ephemeral Diffie Hellman (DHE_RSA)
o Forward secrecy
o Slow
o ECDHE_RSA and ECDHE_ECDSA
o ECDHE – key agreement
17
Encryption
o 3DES, AES, ARIA, CAMELIA, RC4, SEED
o Three types supported
o Stream
o Block
o Authenticated encryption
o Eliminates padding attacks
18
Authentication
o Closely coupled with key exchange
o RSA
o Implicit – server in possession of private key can only get the pre master secret
o DHE and ECDHE
o Parameters are signed with private key
o Client can verify by decrypting with public key
19
TLS Record protocol
o Divide outgoing messages into blocks
o Reassemble incoming messages
o Calculate MAC
o Encrypt messages and decrypt
20
TLS Alert protocol
struct{
AlertLevel level;
AlertDescription description;
} Alert;
o Simple notification mechanism
o Error messages, exceptions . Eg:- close_notify
21
Cipher suites
o Named combination of authentication, encryption, MAC, and key exchange algorithms
o More than 300 official cipher suites
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHE_RSA – key exchange
AES – encryption
128 – key size
GCM – MAC
SHA – Pseudorandom function (only TLS 1.2 support this)
22
DHE vs ECDHE
o Assuming forward secrecy is a requirement
o ECDHE – faster
o DHE – more trusted, slower
o Choose based on requirements (depends)
23
Encryption Strength
Symmetric RSA/DSA/DH Elliptic curve Hash
80 1024 160 160
112 2048 224 224
128 3072 256 256
256 15360 512 512
NIST Special publication 800-57, Recommendation for key management – Part 1:General, Revision 3
24
Security levels in bits
Protection Sym Asy DH EC Hash
Short term protection for medium orgs 72 1008 1008 144 144
10 years 96 1776 1776 192 192
30 years 128 3248 3248 256 256
Increased defense quantum computers
256 15,424 15,424 512 512
ECRYPT yearly report on algorithms and keysizes (30th Sept 2012)
25
Attacks [RFC 7457]
o SSL Stripping
o Generic downgrade attack
o Applicable if client initially uses HTTP
o STARTTLS Command injection
o Attack on transition from unprotected to TLS-protected
o STARTTLS allows command execution after TLS execution.
26
Attacks [RFC 7457]
o BEAST
o Issue with CBC
o Predictable IV
o Used decrypt HTTP cookies
o Padding oracle attacks
o Issue with MAC then encrypt design
o Timing side channel attack
o Lucky 13, POODLE on RC4
27
Attacks [RFC 7457]
o Attacks on RC4
o Variety of crypto weaknesses
o Biases in RC4 key stream
o Could be exploited with 2^26 session which is feasible
o Compression attacks
o CRIME, TIME, BREACH
o Disable TLS compression
28
Attacks [RFC 7457]
o Certificates and RSA related attacks
o DoS
o Implementation issues
o Heartbleed
o Random number generation
o Protocol downgrade
o Deployment weakness
o Eg:- TLS session cache sharing
29
HSTS, CSP, Pinning (to read)
o HSTS – HTTP strict transport security
o Cookie security
o Deployment checklist
o CSP
o Allows web site operators to control behavior of user agents. (against XSS)
o Pinning
o Associates service with one or more crypto identities.
30
Questions ?
Thank you
top related