presenter name: norbert muehr (siemens plm gtac emea) … · presenter name: norbert muehr (siemens...

Presentation date: 2018 10 31

Presenter name: Norbert Muehr (Siemens PLM – GTAC EMEA)

Room name: Room Paris

Presentation title: Hardening SSLConfiguring a Teamcenter-System for Perfect Forward Secrecy

Your name/Company® PLM Europe 2018 – All rights reserved Your name/Company

Abstract

Although, for many companies using encrypted communication has become an IT

security principle, much of the data sent across the globe still uses weak encryption

which is in danger of getting recorded and decrypted by external parties to steal

information.

This presentation will focus on the TLS/SSL implementation of elliptic curve

cryptography in Teamcenter and related PLM applications. Currently, EC cryptography is

stronger encryption than the commonly used RSA-based encryption if its correctly

applied.

The presenter will try to illustrate the many influencing factors such as Browsers,

Operating systems and middleware creating risks which limit the strength of the

encryption and the level of security gained.

Agenda:01. Why hardening SSL/TLS configurations

02. Comparison of RSA and Elliptic Curve cryptography

03. Which connections we cover in this presentation (TC System Architecture)

04. Level of security is the result of a negotiation

05. Sample Configuration: 4Tier RichClient - WebTier

06. Sample Configuration: FCC-FSC

07. Sample Configuration: NX 4Tier to TC Webtier

Unrestricted © Siemens AG 2018

YYYY-MM-DDPage 6 Siemens PLM Software

Why hardening SSL/TLS configurations

Various parties are interested to get intellectual property from companies:

• Intelligence Services of countries or hacking groups doing business with them

Have replicated access to Internet exchange points or large backbone providers

Establish replication at Submarine communications cables or use satellites for this

Hence affect especially WAN communication between offices and sites

Try to decrypt communication and record what they cannot decrypt for later playback and cracking

• Organized Crime, Individual hackers or

hacking groups selling to competitors

• Often attack from inside the LAN



Why hardening SSL/TLS configurations

The consequence:

In large companies or in open Internet, data is in high risk to be revealed during the transport. Hence,

SSL/TLS is not enough ! It should be state of art SSL/TLS!

The structure and quality of a TLS connection is determined by the

Cipher suite

Key ExchangeAuthentication

(certificate key)

Bulk Ciphers

(transport)

Message

Authentication

Code (integrity)

Technical life cycle

synchronousasynchronous



Synchronous versus asynchronous encryption

synchronousasynchronous

public private common



Life cycle of encryption algorithm

Developed in lab

Defined as standard

Adopted by major software

vendors

vulnerableCracked in lab

Cracked real-time in

datacenter

Removed by software vendors

operating systems, browsers,

middleware, cloud providers

careless software providers

Innovation of hardware (Moore’s law, quant computers)

Published weaknesses of algorithm



Evolution of SSL/TLS protocols

SSL 3.0

TLS 1.0

TLS 1.2 TLS 1.3

Poodle attack BEAST attack CRIME attack Heartbleed attack

(Open SSL related)

Weak

session

tickets

BANKS

Govern-

ments

Weaker

please!

Weaker

please!

Robot attack

0-RTT

Faster

please!



Comparison of RSA and Elliptic Curve cryptography

To put things into perspective, according a Universal Security study of 2013, breaking a

228-bit RSA key would take less energy than what is needed to boil a teaspoon of water.

Alternatively, breaking a 228-bit ECC key would require more energy than it would take to

boil all the water on earth.

[taken from https://www.keycdn.com/support/elliptic-curve-cryptography/ ]

Key

Exchange(Over insecure

connection)

Authenti-

cation(private

and public

key)

Bulk Ciphers(symmetric encryption during transport)

In focus of this presentation !

Message Authentication

(integrity)

http://eprint.iacr.org/2013/635.pdf

https://www.keycdn.com/support/elliptic-curve-cryptography/




RSA ECC

• asymmetric key (private + public)

• one key during the entire

communication

• Key is created by prime number

factorization

• When key is cracked, entire

communication can be decrypted – if

not now, than in future from recorded

communication with better technology

• Higher performance during encryption

• asymmetric key (private + public + curve)

• various keys during the entire communication

• All keys get calculated by a particular elliptic

curve

• Lower performance during encryption, but

mostly acceptable when properly configured

• When key is cracked and a suitable algorithm is

used, only a portion of communication can be

decrypted – even in future, hence its called…

->see Perfect Forward Secrecy

Bit size




RSAECC

256 bit key size

384 bit key size (top secret)

3072 bit key size to be equally strong

7680 bit key size to be equally strong



What is perfect Forward secrecy (PFS) ?

• Current Gold standard in available strong encryption

• Based on the Ephemeral Diffie-Hellman algorithm (ECDHE)

• “Ephemeral” means “not static” since each new TLS session uses a new key on the same elliptic

curve

• Preventing some “known–to-be-vulnerable” ECC algorithms

• Due to the strength, preferred by banks, military and other security-sensitive uses cases

Consider:

• As in any ECC, Security level depends on which curve is picked

• As in any encryption, Security level depends on the bit-size of the keys

• How long is a TLS session?



Target Cipher

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Naming…

get my

keys

through

the evil

internet via

Create my

private and

public key

via

Encrypt all

the data

being

transferred

after

handshake

using

shared

secret

Checksum

to prevent

modificatio

n during

transport

GCM

better than

CBC



Why does that relate to Teamcenter?

• Teamcenter got a distributed architecture

• Much of the communication between the elements of this architecture communicate

via TCP and support SSL/TLS.

• Many customers of Teamcenter work hard to protect their intellectual property and

need to exchange data across offices and countries.

• Most of the manuals and white papers, I read in the past base on the weaker RSA

encryption.

PS: By the way, SSL and TLS are both technologies for encrypted

communication. Still many people say SSL when they mean TLS.

Large enterprise TLS encryption SME TLS encryption

Teamcenter web tier behind

reverse proxiesTeamcenter web tier involved

in TLS communication



Client-Server handshake

TLS Client TLS Server

(1)Client Hello

Supported ciphers, protocol version, random no#1 with time, session ID

(2) Server Hello

Selected ciphers, Cert (public key), random no#2, session ID Client cert

request (2way)(3) Verify

server cert,

check

crypto

params

(4) Client key exchange

Send secret key (Pre-Master Secret, encrypted with public key) (5) Send client cert (2way)

(6) Verify

client cert

(2way)

(7) Client finished

(8) Server finished

(9) Exchange messages

Encrypted with shared key

02302420354

5694596945



What do we have at the end of handshake?


Public key of server

Master secret

Private, Public key of server

Master secret

Cipher Suite agreed by client

and server

Protocol agreed by client

and server

Cipher Suite agreed by client

and server

Protocol agreed by client

and server

Bulk-Key MAC-Key Bulk-Key MAC-Key



Cipher negotiation


(1)Client Hello

(2) Server Hello

Cipher list client

• could be browser i.e.

Chrome for AWC

• Java JSSE

• Schannel (windows)

• Another web server

• …

Old client--> old

ciphers !

Cipher list server1. My best cipher

2. My second-best cipher

3. My worst acceptable cipher

Old server--> old

ciphers !

Hono

ur

ord

er

!Supported cipher

Selected ciphers

Sorry, I am old

and don’t know

new ciphers

Boo, I have

sniffed (recorded)

your handshake!

No common Cipher:

Handshake failed !



TLS 1.2 Resumed sessions - session tickets/IDs

1. Resumed connections don't perform any Diffie-Hellman exchange

2. Session Tickets contain the session keys of the original connection, so a

compromised Session Ticket lets the attacker decrypt not only the resumed

connection, but also the original connection.

3. Session Tickets are sent in the clear at the beginning of the original connection.

4. Some J2EE web servers offer modifications of session ID handling

Solutions:

• Use TLS 1.3

• Disable SessionTickets

• Tomcat: Only for APR connector

• IIS: Powershell: Disable-TlsSessionTicketKey



Influencing factors on strength of TLS implementation

• Bit size of algorithm (configuration)

• Consider Client-Server negotiation (configuration)

Prevent old browsers, require fallback to worse ciphers

If IE is used, consider influence of Schannel settings

• Software versions

• Check Web server config in detail

Cipher Suite list as strict as possible and ordered

PFS, frequency of new TLS sessions

• OpenSSL version should be very latest (after update, regen keys!)

• Download Or Enable latest Java version with “Java Cryptography Extension (JCE)

Unlimited Strength Jurisdiction” where possible

• After finishing configuration and TLS connection works, test the used cipher suites

with Wireshark !!

• If you are paranoid, also consider the strength and algorithm of your CA cert and

intermediate certs and check which root certs are installed in your OS.



(Teamcenter) PFS Implementation steps

Test TLS clients:

• supported ciphers

• Protocols

• Avail. Root certs

• Required cert format

Test TLS servers:

• supported ciphers

• Protocols

• Avail. Root certs

• Required cert format

Updated client list Updated server list

Check whether config can be improved

Set encryption targets

• desired ciphers

• desired protocols

• Cert vendor (own, commercial, Let’s Encrypt)

• Expected performance reduction

(measure unencrypted)

Generate server keys

and/or buy them

Download root certs and

interm. certs

Distribute certs (signed

public keys) for

server+interm. + root

In required key store

formats

Simple tests:

• Resulting Ciphers

• Performance impact

(Pen tests)

• Stealing priv. keys

• Common TLS

attacks

1 1

2 2

45 6

3

7

Refresh

every 2 years

JSSE-Versions



Test implementation 1 - Root Key generation

Generally, keys maybe generated using OpenSSL or JAVA EC keys only possible in OpenSSL!

Create my own CA:

Create root cert:

openssl ecparam -name prime256v1 -out rootca_param.pem

openssl ecparam -in rootca_param.pem -genkey -noout -out rootca_key.pem

openssl req -config openssl.cnf -key rootca_key.pem -new -x509 -days 7300 -sha384 -subj "/C=DE/ST=Hessen/L=Frankfurt/O=SPLM/OU=GTAC-EMEA/CN=GTAC

ROOT CA" -out rootca_cert.pem

openssl pkcs12 -export -in rootca_cert.pem -inkey rootca_key.pem -nokeys -name root -out trust.p12 -password pass:123456

rootca_key.pem rootca_cert.pem

openssl.cnf

CA config

settings

copy trust.p12

pw: 123456

copy

generate



Test implementation 2 – Server Key generation

Create main cert:

openssl ecparam -name prime256v1 -out prime256v1_param.pem

openssl ecparam -in prime256v1_param.pem -genkey -noout -out

prime256v1_key.pem

openssl req -new -sha384 -key prime256v1_key.pem -out prime256v1_key.csr

-subj "/C=DE/ST=Hessen/L=Frankfurt/O=SPLM/OU=GTAC-

EMEA/CN=decgnvsrv"

openssl ca -config openssl.cnf -extensions server_cert -in

prime256v1_key.csr -days 375 -keyfile rootca_key.pem -notext -md sha256 -

notext -batch -cert rootca_cert.pem -out prime256v1_cert.pem

(openssl req -in prime256v1_key.csr -text -noout)

prime256v1_key.csrsigned

trust

openssl.cnf

CA config

settings

rootca_key.pem

createprime256v1_cert.pem

Often you would pay a commercial vendor for that step…

prime256v1_param.csr

generate



For Tomcat Server:

JKS, PKCS11 or PKCS12 truststore

PW: ……

Test implementation 3 - Which key store for which purpose?

For Tomcat Server:

JKS, PKCS11 or PKCS12 keystore

PW: ………

For NX-cURL

No keystore, just pem file

For Java JSSE Client JKS

truststore “cacerts”

PW: ……..

default CA Root certs

Versisign, Thawte, Lets Encrypt, …

default CA Root certs

Versisign, Thawte, Lets Encrypt, …

prime256v1_cert

rootca_certrootca_certrootca_cert



Teamcenter PFS Implementation overview

TCCS

4-Tier RAC

SOA

HTTP

Named PIPE

(Secured OS Pipes

to TCCS)TcServerProxy TcMEMFCC

FSC

Client Tier

Web Tier

Enterprise

Tier

Tomcat 8 WAS

Teamcenter Server Manager

HTTPS

(PFS)

Thin Client in browser:

IE11

TCServer FSCproxy

NIO Connector BIO Connector APR Connector

Java JSSE OpenSSL

Java JSSE

Java 8

JSSE Truststore

OpenSSL

Windows keystore

Java JSSE

CURL

CURL

Java

JSSE

Root CA PEM file

RootCA key ( )

Main PEM file

Main key

NX pkcs12 file

Main cert (Pub)

1 2 3

Boo, I have

hacked your

server and

stolen your

private keys

NX pkcs12 file

Keystore

Keystore

Schannel SSP->OS

Jetty

Truststore

Truststore



Teamcenter Large company TLS Implementation overview

TCCS

4-Tier RAC

SOA

HTTP

Named PIPE

(Secured OS Pipes

to TCCS)TcServerProxy TcMEMFCC

FSC

Client Tier

Web Tier

Enterprise

Tier

Tomcat 8 WAS

Teamcenter Server Manager

HTTPS

(PFS)

Thin Client in browser:

IE11

TCServer FSCproxy

NIO Connector BIO Connector APR Connector

Java JSSE OpenSSL

Java JSSE

Windows keystore

Java JSSE

Keystore

Keystore

Schannel SSP->OS

Jetty

Truststore

Truststore

Reverse proxy



Cipher Suite testing



Coming up…

TLS 1.3 – Coming to you soon!

• Tomcat: as minimum since: - 9.0.13, 8.5.35

onwards

• IIS 10 (Schannel) on Windows Server 2016 – not

yet available

• Java 11- the first release officially implementing

TLS 1.3

• Firefox since v57

• Chrome since v63

• Other browsers – not yet

No more RSA!



Vulnerability testing and config tools

Online, requires Internet connection:

Any Web server: https://www.ssllabs.com/ssltest/

Offline Config:

IIS: https://www.nartac.com/Products/IISCrypto

https://www.ssllabs.com/ssltest/

https://www.nartac.com/Products/IISCrypto



Obtaining state-of-the-art encryption information

https://www.ssllabs.com/ testing tools, server rating, cipher collections

Oracle JSSE reference guide: supported protocols, algorithms and key sizes for your JAVA version

https://www.wireshark.org/ Tools to test the actually used cipher

https://letsencrypt.org/ free TLS signed certificates

https://www.openssl.org/ Latest OpenSSL versions (includes tools to test CURL TLS)

https://www.ssllabs.com/

https://www.wireshark.org/

https://letsencrypt.org/

https://www.openssl.org/

Thank you.

Your name/Company

www.plm-europe.orgwww.siemens.com/plm

October 2018

http://www.plm-europe.org

http://www.siemens.com/plm

presenter name: norbert muehr (siemens plm gtac emea) … · presenter name: norbert muehr (siemens...

Documents