1

SSL/TLSSreepriya Chalakkal

2

Network layer

3

Where is it used?

o Web browsing

o Email

o IM

o VoIP

o Internet faxing

o Etc

4

MITM

o Government agencies

o GDHQ, the British spy agency, records all UK internet traffic and keeps it for three days.

o Passive attacks

o Captured traffic

o Could help break encryption

o Active attacks

o Trick authentication

5

Why TLS?

o Confidentiality

o Integrity

o Authentication

o Non-repudiation

6

History

7

SSL 1.0, 2.0, 3.0

o POODLE against RC4 in 2014

o Deprecated in June 2015

TLS 1.0

o No dramatic difference from SSL 3.0

o RFC 2246

8

TLS 1.1

o Added protection against CBC attacks

o Support of IANA registration of parameters

TLS 1.2

o MD5-SHA1 replaced by SHA256o Additional custom parameters (PRF)o Enhancement in the client's and server's ability to specify

which hash and signature algorithms they accept.o GCM and CCM mode of AES

9

TLS 1.3 (working draft)

o Removing support for

o MD5, SHA224, weak elliptic curves

o Prohibiting RC4 or SSL backward compatibility

o Requiring digital signatures even when a previous configuration is used

o Adding of Curve25519 and Ed25519 to the TLS standard

10

Symmetric Encryption

o Fast

o Single key

o Key sharing

o Types: block and stream

o Every connection needs a key

11

Asymmetric encryption

o Two keys: public, private

o Slow

o Key sharing easier

o Deployed for authentication

12

Protocol

Internet

Transport

Handshake

Link

TLS Record Protocol

Change CipherSpec

Alert

Application

13

Handshake

14

15

16

Key exchange

o RSA

o No forward secrecy

o Ephemeral Diffie Hellman (DHE_RSA)

o Forward secrecy

o Slow

o ECDHE_RSA and ECDHE_ECDSA

o ECDHE – key agreement

17

Encryption

o 3DES, AES, ARIA, CAMELIA, RC4, SEED

o Three types supported

o Stream

o Block

o Authenticated encryption

o Eliminates padding attacks

18

Authentication

o Closely coupled with key exchange

o RSA

o Implicit – server in possession of private key can only get the pre master secret

o DHE and ECDHE

o Parameters are signed with private key

o Client can verify by decrypting with public key

19

TLS Record protocol

o Divide outgoing messages into blocks

o Reassemble incoming messages

o Calculate MAC

o Encrypt messages and decrypt

20

TLS Alert protocol

struct{

AlertLevel level;

AlertDescription description;

} Alert;

o Simple notification mechanism

o Error messages, exceptions . Eg:- close_notify

21

Cipher suites

o Named combination of authentication, encryption, MAC, and key exchange algorithms

o More than 300 official cipher suites

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHE_RSA – key exchange

AES – encryption

128 – key size

GCM – MAC

SHA – Pseudorandom function (only TLS 1.2 support this)

22

DHE vs ECDHE

o Assuming forward secrecy is a requirement

o ECDHE – faster

o DHE – more trusted, slower

o Choose based on requirements (depends)

23

Encryption Strength

Symmetric RSA/DSA/DH Elliptic curve Hash

80 1024 160 160

112 2048 224 224

128 3072 256 256

256 15360 512 512

NIST Special publication 800-57, Recommendation for key management – Part 1:General, Revision 3

24

Security levels in bits

Protection Sym Asy DH EC Hash

Short term protection for medium orgs 72 1008 1008 144 144

10 years 96 1776 1776 192 192

30 years 128 3248 3248 256 256

Increased defense quantum computers

256 15,424 15,424 512 512

ECRYPT yearly report on algorithms and keysizes (30th Sept 2012)

25

Attacks [RFC 7457]

o SSL Stripping

o Generic downgrade attack

o Applicable if client initially uses HTTP

o STARTTLS Command injection

o Attack on transition from unprotected to TLS-protected

o STARTTLS allows command execution after TLS execution.

26

Attacks [RFC 7457]

o BEAST

o Issue with CBC

o Predictable IV

o Used decrypt HTTP cookies

o Padding oracle attacks

o Issue with MAC then encrypt design

o Timing side channel attack

o Lucky 13, POODLE on RC4

27

Attacks [RFC 7457]

o Attacks on RC4

o Variety of crypto weaknesses

o Biases in RC4 key stream

o Could be exploited with 2^26 session which is feasible

o Compression attacks

o CRIME, TIME, BREACH

o Disable TLS compression

28

Attacks [RFC 7457]

o Certificates and RSA related attacks

o DoS

o Implementation issues

o Heartbleed

o Random number generation

o Protocol downgrade

o Deployment weakness

o Eg:- TLS session cache sharing

29

HSTS, CSP, Pinning (to read)

o HSTS – HTTP strict transport security

o Cookie security

o Deployment checklist

o CSP

o Allows web site operators to control behavior of user agents. (against XSS)

o Pinning

o Associates service with one or more crypto identities.

30

Questions ?

Thank you