Transport
Layer
(in)Security

Pfeiffer Szilárd

Balasys

Bob

Craig, Eve, Mallory, Sybil, Trudy, ...

Alice

Symmetric-key algorithms

Hash algorithms

#

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

a8ae2f4a56baf78845c041c833946d00

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua

5e1e4087285a6c7c7d503332b14c5bf7

Public-key algorithms

Digital signature

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

a8ae2f4a56baf78845c041c833946d00

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

WoT vs. PKI

Primitives

TLS

protocol

_ECDHE
_RSA
_AES_128_CBC
_SHA256

key exchange

authentication

symmetric cipher

MAC

 ECDHE-RSA-AES128-SHA256 

Grades

Threat Vectors

  • Cryptographical Protocol

    • theory

    • implementation

  • Cryptographical Primitives

    • theory

    • implementation

    • performance

    • politics

Threat Vectors

  • Public Key Infrastructure

    • theory

    • implementation

  • Application Layer Protocol

  • Software

    • implementation

    • configuration

Protocol

possibly secure

insecure

SSL (2.0, 3.0)

TLS 1.2

weak

early TLS (1.0, 1.1)

secure

TLS 1.3

Supported Versions

Best Version

Theory

POODLE

Theory

CRIME

Implementation

Heartblead

Fallback SCSV

Key Exchange

  • Forward Secrecy

    • ephemeral

    • static

  • Key Strength

  • Session Resumption

    • session id

    • session ticket

Forward Secrecy

ephemeral

static

Diffie–Hellman

(DH)

Rivest–Shamir–Adleman

(RSA)

Elliptic-curve
Diffie–Hellman
(ECDH)

Elliptic-curve

Diffie–Hellman Ephemeral
(ECDHE)

Diffie-Hellman Ephemeral

(DHE)

Forward Secrecy

Session Resumption

  • perfect forward secrecy
    • stateful vs. stateless
    • stored cryptographic parameters
    • unencrypted sending
  • speed
    • real time
    • CPU time

Primitives

  • Key Exchange

  • Authentication

  • Symmetric Cipher

  • Block Cipher Mode

  • Message Authentication Code

Supported Keys

Weakest Key

lmplementation

ROBOT

ROBOT

Vendors

Instances

Facebook

 

PayPal

F5

Citrix

Cisco

Palo Alto Networks

Symantec

FortiNet

Authentication

  • Key types
    • Digital Signature Algorithm (DSA)
    • Rivest–Shamir–Adleman (RSA)
    • Elliptic Curve DSA (ECDSA)
  • Key sizes
  • Signature algorithms

Signature Algorithm

Bulk Cipher

  • Stream Cipher
  • Block Cipher

    • secure

    • insecure

    • unused

  • Block Cipher Mode

Theory

Sweet32

Sweet32

Ratio

Instance

top 100.000

1.1%

 

top 1.000.000

0.5%

eBay

Nasdaq

Banco Mercantil

Union Bank

Ziraat Bank

Match

Walmart

Citrix

Stream Cipher

secure

insecure

Rivest Cipher 4

(ARCFOUR/RC4)

ChaCha

(ChaCha20)

Rivest Cipher 4

Block Cipher

secure

insecure

Block Size of 64 bits

(DES, 3DES, GHOST, IDEA, RC2)

Advanced Encryption Standard

(AES128, AES256)

CBC mode only

(SEED)

unused

Far East

(ARIA, Camellia)

Block Cipher Mode

authenticated

not authenticated

Cipher Block Chaining

(CBC)

Galois/Counter Mode
(GCM)

Counter with CBC-MAC

(CCM/CCM-8)

MAC

  • MAC types

    • HMAC

    • UMAC

  • MAC algorithms

MAC types

universal hashing

has based

Message-Digest Algorithm 5

(MD5)

Poly1305
(POLY1305)

Secure Hash Algorithm 2

(SHA256, SHA384)

Secure Hash Algorithm 1

(SHA-1)

MAC algorithms

secure

collisions

Message-Digest Algorithm 5

(MD5)

Poly1305
(POLY1305)

Secure Hash Algorithm 2

(SHA256, SHA384)

Secure Hash Algorithm 1

(SHA-1)

Politics

  • Export limited algorithms
    • key exchange
    • block cipher
    • block cipher mode

Politics

DROWN

DROWN

Ratio

Instance

top 1.000.000

25%

 

all sites

33%

 

Yahoo

Alibaba
Flickr

Samsung

NBA
Asus
Bangood

Apache

Politics

Logjam

Logjam

Ratio

Ratio

top 1.000.000 sites

8.4%

 

all sites

3.4%

SMTP servers

14.8%

 

POP3S servers

8.9%

 

IMAPS servers

8.4%

Politics

FREAK

FREAK

Ratio

14.000.000 sites

36.7%

 

US sites

35%

Instances

US government servers

Cipher Settings

  • cipher suites

    • explicit list

    • list operations

  • cipher preference

Revocation Check

  • Certificate Revocation List

  • Online Certificate Status Protocol

    • Responders

    • Stapling

  • Certificate validity period

Revocation Check

Location

CRL

Access

Size

OCSP

Privacy

OCSP Stapling

Full Chain

OCSP Multi Stapling

?

Support

Hack proof

OCSP Stapling

Certificate Transparency

  • transparent
  • append-only
  • cryptographically assured
  • reproducible
  • publicly monitorable and auditable
  • log

TLS 1.3

  • Key Exchange

  • Authentication
  • Bulk Cipher
  • Hash Algorithm
  • Session Resumption

  • Revocation Check

  • Performance

  • Support

Key Exchange

ephemeral

static

Diffie–Hellman

(DH)

Rivest–Shamir–Adleman

(RSA)

Elliptic-curve
Diffie–Hellman
(ECDH)

Elliptic-curve

Diffie–Hellman Ephemeral
(ECDHE)

Diffie-Hellman Ephemeral

(DHE)

Authentication

secure

insecure

anonymous

(NULL)

Rivest–Shamir–Adleman

(RSA)

Elliptic Curve

Digital Signature Algorithm
(ECDSA)

Digital Signature Algorithm

(DSA)

Edwards-Curve
Digital Signature Algorithm
(EdDSA)

unused

Stream Cipher

secure

insecure

Rivest Cipher 4

(ARCFOUR/RC4)

ChaCha

(ChaCha20)

Block Cipher

secure

insecure

Block Size of 64 bits

(DES, 3DES, GHOST, IDEA, RC2)

Advanced Encryption Standard

(AES128, AES256)

CBC mode only

(SEED)

unused

Far East

(ARIA, Camellia)

Block Cipher Mode

authenticated

not authenticated

Cipher Block Chaining

(CBC)

Galois/Counter Mode
(GCM)

Counter with CBC-MAC

(CCM/CCM-8)

MAC

secure

collisions

Message-Digest Algorithm 5

(MD5)

Poly1305
(POLY1305)

Secure Hash Algorithm 2

(SHA256, SHA384)

Secure Hash Algorithm 1

(SHA-1)

Cipher Suites

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
    
  • TLS_CHACHA20_POLY1305_SHA256

Revocation Check

  • Certificate Revocation List

  • Online Certificate Status Protocol

    • Responders

    • Stapling

Session Resumption

PFS

obsolated

session resumption

(session id)

session resumption without server-side state

(session ticket)

non PFS

static pre-shared-key

(PSK_KE)

ephemeral pre-shared-key

(PSK_DHE_KE)

Performance

  • Handshake

  • Resumption

  • Application layer

Support

library

browser

Most popular

(Chrome/Chromium, Firefox)

Less popular

(Apple, Edge)

server

CDN

Most popular

(Apache, NGINX)

Less popular

(IIS, Lighty)

Most popular

(Cloudflare, KeyCDN)

Most popular

(OpenSSL, GnuTLS)

Less popular

(Boring SSL, Fizz)

HTTPS

  • Automatic Redirection to HTTPS

  • HSTS Preload
  • Security Headers

Secure Headers

  • Automatic Redirect to HTTPS

  • Public Key Pinning

  • Defense against

    • Clickjacking

    • Content Injection Attacks

    • Cross-site scripting

HTTP STS

setenv.add-response-header=("Strict-Transport-Security"=>"Value")

Lighttpd

add_header Strict-Transport-Security 'Value' always;

Nginx

Header always set Strict-Transport-Security "Value"

Apache

max-age=63072000;
includeSubdomains;
preload

HTTP STS

HTTP Public Key Pinning

setenv.add-response-header=("Public-Key-Pins"=>"Value")

Lighttpd

add_header Public-Key-Pins 'Value' always;

Nginx

Header always set Public-Key-Pins "Value"

Apache

pin-sha256="GRAH5Ex+kB4cCQi5gMU82urf...";
report-uri="https://example.com/report/hpkp";
max-age=15768000;
includeSubDomains

Expect Staple

setenv.add-response-header=("Expect-Staple"=>"Value")

Lighttpd

add_header Expect-Staple 'Value' always;

Nginx

Header always set Expect-Staple "Value"

Apache

max-age=31536000;
report-uri="https://example.com/report/staple";
includeSubDomains;
preload

Expect CT

setenv.add-response-header=("Expect-Staple"=>"Value")

Lighttpd

add_header Expect-Staple 'Value' always;

Nginx

Header always set Expect-Staple "Value"

Apache

max-age=31536000;
report-uri="https://example.com/report/staple";
enforce

Clickjacking

setenv.add-response-header=("X-Frame-Options"=>"Value")

Lighttpd

add_header X-Frame-Options "Value" always;

Nginx

Header always set X-Frame-Options "Value"

Apache

deny/sameorigin

XSS Protection

setenv.add-response-header=("X-XSS-Protection"=>"Value")

Lighttpd

add_header X-XSS-Protection "Value" always;

Nginx

Header always set X-XSS-Protection "Value"

Apache

X-XSS-Protection: 1; mode=block

Feature Policy

setenv.add-response-header=("Feature-Policy"=>"Value")

Lighttpd

add_header Feature-Policy "Value" always;

Nginx

Header always set Feature-Policy "Value"

Apache

microphone 'none';

geolocation ''*'';

payment 'self';

...

Content Security Policy

setenv.add-response-header=("Content-Security-Policy"=>"Value")

Lighttpd

add_header Content-Security-Policy "Value" always;

Nginx

Header always set Content-Security-Policy "Value"

Apache

default-src https://same.domain:443

Application Protocols

Solutions

  • Configuration

    • Updates

      • Snippet

      • Generators

    • Checkers

      • Online

      • Offline

  • TLS offloaders

TLS protocols

ssl.use-sslv2 = "disable"
...

Lighttpd

ssl_protocols TLSv1.2 TLSv1.3;

Nginx

SSLProtocol +TLSv1.2 +TLSv1.3

Apache

!TLSv1.1 !TLSv1.0 !TLSv1 !SSLv2 !SSLv3

Cipher Suites

ssl.cipher-list = "CipherSuiteString"

Lighttpd

ssl_ciphers CipherSuiteString

Nginx

SSLCipherSuite CipherSuiteString

Apache

HIGH:!PSK:!SRP:!aNULL:!aDSS:!kRSA:!ARIA:!CAMELLIA:!SHA:!AESCCM

Cipher Preference

honor-cipher-order = "enable"

Lighttpd

ssl_prefer_server_ciphers On;

Nginx

SSLHonorCipherOrder On

Apache

Always On

OCSP Stapling

-

Lighttpd

ssl_stapling on;

Nginx

SSLUseStapling on

Apache

Should Be On

Online Checkers

Generators

Offline Checkers

TLS offloaders

Conclusions

Questions?

Transport Layer (in)Security - Open Academy 2021

By Szilárd Pfeiffer

Transport Layer (in)Security - Open Academy 2021

Attributions: log jam by Luis Prado from the Noun Project

  • 728