presenter name: norbert muehr (siemens plm gtac emea) … · presenter name: norbert muehr (siemens...
TRANSCRIPT
Presentation date: 2018 10 31
Presenter name: Norbert Muehr (Siemens PLM – GTAC EMEA)
Room name: Room Paris
Presentation title: Hardening SSLConfiguring a Teamcenter-System for Perfect Forward Secrecy
Your name/Company® PLM Europe 2018 – All rights reserved Your name/Company Page 1
Abstract
Although, for many companies using encrypted communication has become an IT
security principle, much of the data sent across the globe still uses weak encryption
which is in danger of getting recorded and decrypted by external parties to steal
information.
This presentation will focus on the TLS/SSL implementation of elliptic curve
cryptography in Teamcenter and related PLM applications. Currently, EC cryptography is
stronger encryption than the commonly used RSA-based encryption if its correctly
applied.
The presenter will try to illustrate the many influencing factors such as Browsers,
Operating systems and middleware creating risks which limit the strength of the
encryption and the level of security gained.
Agenda:01. Why hardening SSL/TLS configurations
02. Comparison of RSA and Elliptic Curve cryptography
03. Which connections we cover in this presentation (TC System Architecture)
04. Level of security is the result of a negotiation
05. Sample Configuration: 4Tier RichClient - WebTier
06. Sample Configuration: FCC-FSC
07. Sample Configuration: NX 4Tier to TC Webtier
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 6 Siemens PLM Software
Why hardening SSL/TLS configurations
Various parties are interested to get intellectual property from companies:
• Intelligence Services of countries or hacking groups doing business with them
Have replicated access to Internet exchange points or large backbone providers
Establish replication at Submarine communications cables or use satellites for this
Hence affect especially WAN communication between offices and sites
Try to decrypt communication and record what they cannot decrypt for later playback and cracking
• Organized Crime, Individual hackers or
hacking groups selling to competitors
• Often attack from inside the LAN
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 7 Siemens PLM Software
Why hardening SSL/TLS configurations
The consequence:
In large companies or in open Internet, data is in high risk to be revealed during the transport. Hence,
SSL/TLS is not enough ! It should be state of art SSL/TLS!
The structure and quality of a TLS connection is determined by the
Cipher suite
Key ExchangeAuthentication
(certificate key)
Bulk Ciphers
(transport)
Message
Authentication
Code (integrity)
Technical life cycle
synchronousasynchronous
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 8 Siemens PLM Software
Synchronous versus asynchronous encryption
synchronousasynchronous
public private common
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 9 Siemens PLM Software
Life cycle of encryption algorithm
Developed in lab
Defined as standard
Adopted by major software
vendors
vulnerableCracked in lab
Cracked real-time in
datacenter
Removed by software vendors
operating systems, browsers,
middleware, cloud providers
careless software providers
Innovation of hardware (Moore’s law, quant computers)
Published weaknesses of algorithm
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 10 Siemens PLM Software
Evolution of SSL/TLS protocols
SSL 3.0
TLS 1.0
TLS 1.2 TLS 1.3
Poodle attack BEAST attack CRIME attack Heartbleed attack
(Open SSL related)
Weak
session
tickets
BANKS
Govern-
ments
Weaker
please!
Weaker
please!
Robot attack
0-RTT
Faster
please!
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 11 Siemens PLM Software
Comparison of RSA and Elliptic Curve cryptography
To put things into perspective, according a Universal Security study of 2013, breaking a
228-bit RSA key would take less energy than what is needed to boil a teaspoon of water.
Alternatively, breaking a 228-bit ECC key would require more energy than it would take to
boil all the water on earth.
[taken from https://www.keycdn.com/support/elliptic-curve-cryptography/ ]
Key
Exchange(Over insecure
connection)
Authenti-
cation(private
and public
key)
Bulk Ciphers(symmetric encryption during transport)
In focus of this presentation !
Message Authentication
(integrity)
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 12 Siemens PLM Software
Comparison of RSA and Elliptic Curve cryptography
RSA ECC
• asymmetric key (private + public)
• one key during the entire
communication
• Key is created by prime number
factorization
• When key is cracked, entire
communication can be decrypted – if
not now, than in future from recorded
communication with better technology
• Higher performance during encryption
• asymmetric key (private + public + curve)
• various keys during the entire communication
• All keys get calculated by a particular elliptic
curve
• Lower performance during encryption, but
mostly acceptable when properly configured
• When key is cracked and a suitable algorithm is
used, only a portion of communication can be
decrypted – even in future, hence its called…
->see Perfect Forward Secrecy
Bit size
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 13 Siemens PLM Software
Comparison of RSA and Elliptic Curve cryptography
RSAECC
256 bit key size
384 bit key size (top secret)
3072 bit key size to be equally strong
7680 bit key size to be equally strong
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 14 Siemens PLM Software
What is perfect Forward secrecy (PFS) ?
• Current Gold standard in available strong encryption
• Based on the Ephemeral Diffie-Hellman algorithm (ECDHE)
• “Ephemeral” means “not static” since each new TLS session uses a new key on the same elliptic
curve
• Preventing some “known–to-be-vulnerable” ECC algorithms
• Due to the strength, preferred by banks, military and other security-sensitive uses cases
Consider:
• As in any ECC, Security level depends on which curve is picked
• As in any encryption, Security level depends on the bit-size of the keys
• How long is a TLS session?
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 15 Siemens PLM Software
Target Cipher
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Naming…
get my
keys
through
the evil
internet via
Create my
private and
public key
via
Encrypt all
the data
being
transferred
after
handshake
using
shared
secret
Checksum
to prevent
modificatio
n during
transport
GCM
better than
CBC
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 16 Siemens PLM Software
Why does that relate to Teamcenter?
• Teamcenter got a distributed architecture
• Much of the communication between the elements of this architecture communicate
via TCP and support SSL/TLS.
• Many customers of Teamcenter work hard to protect their intellectual property and
need to exchange data across offices and countries.
• Most of the manuals and white papers, I read in the past base on the weaker RSA
encryption.
PS: By the way, SSL and TLS are both technologies for encrypted
communication. Still many people say SSL when they mean TLS.
Large enterprise TLS encryption SME TLS encryption
Teamcenter web tier behind
reverse proxiesTeamcenter web tier involved
in TLS communication
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 17 Siemens PLM Software
Client-Server handshake
TLS Client TLS Server
(1)Client Hello
Supported ciphers, protocol version, random no#1 with time, session ID
(2) Server Hello
Selected ciphers, Cert (public key), random no#2, session ID Client cert
request (2way)(3) Verify
server cert,
check
crypto
params
(4) Client key exchange
Send secret key (Pre-Master Secret, encrypted with public key) (5) Send client cert (2way)
(6) Verify
client cert
(2way)
(7) Client finished
(8) Server finished
(9) Exchange messages
Encrypted with shared key
02302420354
5694596945
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 18 Siemens PLM Software
What do we have at the end of handshake?
TLS Client TLS Server
Public key of server
Master secret
Private, Public key of server
Master secret
Cipher Suite agreed by client
and server
Protocol agreed by client
and server
Cipher Suite agreed by client
and server
Protocol agreed by client
and server
Bulk-Key MAC-Key Bulk-Key MAC-Key
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 19 Siemens PLM Software
Cipher negotiation
TLS Client TLS Server
(1)Client Hello
(2) Server Hello
Cipher list client
• could be browser i.e.
Chrome for AWC
• Java JSSE
• Schannel (windows)
• Another web server
• …
Old client--> old
ciphers !
Cipher list server1. My best cipher
2. My second-best cipher
3. My worst acceptable cipher
Old server--> old
ciphers !
Hono
ur
ord
er
!Supported cipher
Selected ciphers
Sorry, I am old
and don’t know
new ciphers
Boo, I have
sniffed (recorded)
your handshake!
No common Cipher:
Handshake failed !
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 20 Siemens PLM Software
TLS 1.2 Resumed sessions - session tickets/IDs
1. Resumed connections don't perform any Diffie-Hellman exchange
2. Session Tickets contain the session keys of the original connection, so a
compromised Session Ticket lets the attacker decrypt not only the resumed
connection, but also the original connection.
3. Session Tickets are sent in the clear at the beginning of the original connection.
4. Some J2EE web servers offer modifications of session ID handling
Solutions:
• Use TLS 1.3
• Disable SessionTickets
• Tomcat: Only for APR connector
• IIS: Powershell: Disable-TlsSessionTicketKey
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 21 Siemens PLM Software
Influencing factors on strength of TLS implementation
• Bit size of algorithm (configuration)
• Consider Client-Server negotiation (configuration)
Prevent old browsers, require fallback to worse ciphers
If IE is used, consider influence of Schannel settings
• Software versions
• Check Web server config in detail
Cipher Suite list as strict as possible and ordered
PFS, frequency of new TLS sessions
• OpenSSL version should be very latest (after update, regen keys!)
• Download Or Enable latest Java version with “Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction” where possible
• After finishing configuration and TLS connection works, test the used cipher suites
with Wireshark !!
• If you are paranoid, also consider the strength and algorithm of your CA cert and
intermediate certs and check which root certs are installed in your OS.
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 22 Siemens PLM Software
(Teamcenter) PFS Implementation steps
Test TLS clients:
• supported ciphers
• Protocols
• Avail. Root certs
• Required cert format
Test TLS servers:
• supported ciphers
• Protocols
• Avail. Root certs
• Required cert format
Updated client list Updated server list
Check whether config can be improved
Set encryption targets
• desired ciphers
• desired protocols
• Cert vendor (own, commercial, Let’s Encrypt)
• Expected performance reduction
(measure unencrypted)
Generate server keys
and/or buy them
Download root certs and
interm. certs
Distribute certs (signed
public keys) for
server+interm. + root
In required key store
formats
Simple tests:
• Resulting Ciphers
• Performance impact
(Pen tests)
• Stealing priv. keys
• Common TLS
attacks
1 1
2 2
45 6
3
7
Refresh
every 2 years
JSSE-Versions
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 23 Siemens PLM Software
Test implementation 1 - Root Key generation
Generally, keys maybe generated using OpenSSL or JAVA EC keys only possible in OpenSSL!
Create my own CA:
Create root cert:
openssl ecparam -name prime256v1 -out rootca_param.pem
openssl ecparam -in rootca_param.pem -genkey -noout -out rootca_key.pem
openssl req -config openssl.cnf -key rootca_key.pem -new -x509 -days 7300 -sha384 -subj "/C=DE/ST=Hessen/L=Frankfurt/O=SPLM/OU=GTAC-EMEA/CN=GTAC
ROOT CA" -out rootca_cert.pem
openssl pkcs12 -export -in rootca_cert.pem -inkey rootca_key.pem -nokeys -name root -out trust.p12 -password pass:123456
rootca_key.pem rootca_cert.pem
openssl.cnf
CA config
settings
copy trust.p12
pw: 123456
copy
generate
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 24 Siemens PLM Software
Test implementation 2 – Server Key generation
Create main cert:
openssl ecparam -name prime256v1 -out prime256v1_param.pem
openssl ecparam -in prime256v1_param.pem -genkey -noout -out
prime256v1_key.pem
openssl req -new -sha384 -key prime256v1_key.pem -out prime256v1_key.csr
-subj "/C=DE/ST=Hessen/L=Frankfurt/O=SPLM/OU=GTAC-
EMEA/CN=decgnvsrv"
openssl ca -config openssl.cnf -extensions server_cert -in
prime256v1_key.csr -days 375 -keyfile rootca_key.pem -notext -md sha256 -
notext -batch -cert rootca_cert.pem -out prime256v1_cert.pem
(openssl req -in prime256v1_key.csr -text -noout)
prime256v1_key.csrsigned
trust
openssl.cnf
CA config
settings
rootca_key.pem
createprime256v1_cert.pem
Often you would pay a commercial vendor for that step…
prime256v1_param.csr
generate
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 25 Siemens PLM Software
For Tomcat Server:
JKS, PKCS11 or PKCS12 truststore
PW: ……
Test implementation 3 - Which key store for which purpose?
For Tomcat Server:
JKS, PKCS11 or PKCS12 keystore
PW: ………
For NX-cURL
No keystore, just pem file
For Java JSSE Client JKS
truststore “cacerts”
PW: ……..
default CA Root certs
Versisign, Thawte, Lets Encrypt, …
default CA Root certs
Versisign, Thawte, Lets Encrypt, …
prime256v1_cert
rootca_certrootca_certrootca_cert
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 26 Siemens PLM Software
Teamcenter PFS Implementation overview
TCCS
4-Tier RAC
SOA
HTTP
Named PIPE
(Secured OS Pipes
to TCCS)TcServerProxy TcMEMFCC
FSC
Client Tier
Web Tier
Enterprise
Tier
Tomcat 8 WAS
Teamcenter Server Manager
HTTPS
(PFS)
Thin Client in browser:
IE11
TCServer FSCproxy
NIO Connector BIO Connector APR Connector
Java JSSE OpenSSL
Java JSSE
Java 8
JSSE Truststore
OpenSSL
Windows keystore
Java JSSE
CURL
CURL
Java
JSSE
Root CA PEM file
RootCA key ( )
Main PEM file
Main key
NX pkcs12 file
Main cert (Pub)
1 2 3
Boo, I have
hacked your
server and
stolen your
private keys
NX pkcs12 file
Keystore
Keystore
Schannel SSP->OS
Jetty
Truststore
Truststore
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 27 Siemens PLM Software
Teamcenter Large company TLS Implementation overview
TCCS
4-Tier RAC
SOA
HTTP
Named PIPE
(Secured OS Pipes
to TCCS)TcServerProxy TcMEMFCC
FSC
Client Tier
Web Tier
Enterprise
Tier
Tomcat 8 WAS
Teamcenter Server Manager
HTTPS
(PFS)
Thin Client in browser:
IE11
TCServer FSCproxy
NIO Connector BIO Connector APR Connector
Java JSSE OpenSSL
Java JSSE
Windows keystore
Java JSSE
Keystore
Keystore
Schannel SSP->OS
Jetty
Truststore
Truststore
Reverse proxy
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 28 Siemens PLM Software
Cipher Suite testing
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 29 Siemens PLM Software
Coming up…
TLS 1.3 – Coming to you soon!
• Tomcat: as minimum since: - 9.0.13, 8.5.35
onwards
• IIS 10 (Schannel) on Windows Server 2016 – not
yet available
• Java 11- the first release officially implementing
TLS 1.3
• Firefox since v57
• Chrome since v63
• Other browsers – not yet
No more RSA!
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 30 Siemens PLM Software
Vulnerability testing and config tools
Online, requires Internet connection:
Any Web server: https://www.ssllabs.com/ssltest/
Offline Config:
IIS: https://www.nartac.com/Products/IISCrypto
Unrestricted © Siemens AG 2018
YYYY-MM-DDPage 31 Siemens PLM Software
Obtaining state-of-the-art encryption information
https://www.ssllabs.com/ testing tools, server rating, cipher collections
Oracle JSSE reference guide: supported protocols, algorithms and key sizes for your JAVA version
https://www.wireshark.org/ Tools to test the actually used cipher
https://letsencrypt.org/ free TLS signed certificates
https://www.openssl.org/ Latest OpenSSL versions (includes tools to test CURL TLS)
Thank you.
Page 33Your name/Company
www.plm-europe.orgwww.siemens.com/plm
October 2018