Why can't say that
a TLS connection is
certainly secure?

 Szilárd Pfeiffer

Security Researcher & Evangelist

Why can't say that
a TLS connection is
certainly secure?

 Szilárd Pfeiffer

Security Researcher & Evangelist

Threats

  • Cryptographic Protocols
    • Theoretical flaws
    • Implementation flaws
  • Cryptographic Primitives
    • Theoretical flaws
    • Implementation flaws
    • Performance issues
    • Political factors

Building Blocks

TLS

protocol

_ECDHE
_RSA
_AES_128_CBC
_SHA256

key agreement

authentication

bulk encryption

integrity

Protocol Versions

possibly secure

insecure

SSL (2.0, 3.0)

TLS 1.2

weak

early TLS (1.0, 1.1)

secure

TLS 1.3

Supported Versions

Best Versions

Politics

DROWN

DROWN

ratio

affected sites

top 1M website

25%

 

all websites

33%

 

Yahoo

Alibaba
Flickr

Samsung

NBA
Asus
Banggood

Apache

Theory

POODLE

Theory

CRIME

Fallback SCSV

Key Agreement

  • Forward Secrecy

    • ephemeral

    • static

Forward Secrecy

secure

weak

Diffie-Hellman

(DH)

Rivest-Shamir-Adleman

(RSA)

Elliptic-curve Diffie-Hellman
(ECDH)

Elliptic-curve

Diffie-Hellman Ephemeral
(ECDHE)

Diffie-Hellman Ephemeral

(DHE)

not used

Key Sizes

Forward Secrecy

Authentication

  • Key types
    • Digital Signature Algorithm (DSA)
    • Rivest–Shamir–Adleman (RSA)
    • Elliptic Curve DSA (ECDSA)
  • Key Sizes
  • Hash algorithms

Authentication

secure

 

insecure

anonymous

(NULL)

Rivest–Shamir–Adleman

(RSA)

Elliptic Curve

Digital Signature Algorithm
(ECDSA)

Digital Signature Algorithm

(DSA)

Edwards-Curve
Digital Signature Algorithm
(EdDSA)

not used

Key Sizes

Hash algorithms

Bulk Cipher

  • Block ciphers

    • secure

    • weak

    • not used

  • Block cipher modes

  • Stream ciphers

Block Ciphers

secure

weak

Block Size of 64 bits

(DES, 3DES, GHOST, IDEA, RC2)

Advanced Encryption Standard

(AES128, AES256)

CBC mode only

(SEED)

not used

Far East

(ARIA, Camellia)

Stream Ciphers

secure

insecure

Rivest Cipher 4

(ARCFOUR/RC4)

ChaCha

(ChaCha20)

Rivest Cipher 4

Implementation

ROBOT

ROBOT

vendors

affected services

Facebook

 

PayPal

F5

Citrix

Cisco

Palo Alto Networks

Symantec

FortiNet

Theory

Sweet32

Sweet32

ratio

affected sites

top 100.000

1.1%

 

top 1.000.000

0.5%

eBay

Nasdaq

Banco Mercantil

Union Bank

Ziraat Bank

Match

Walmart

Citrix

Politics

  • Export-grade ciphers
    • key agreement
    • block cipher
    • block cipher mode

Politics

Logjam

Logjam

ratio

ratio

top 1M website

8.4%

 

all websites

3.4%

SMTP servers

14.8%

 

POP3S servers

8.9%

 

IMAPS servers

8.4%

Politics

FREAK

FREAK

ratio

14.000.000 sites

36.7%

 

U.S.A. sites

35%

affected orgs.

governmental organizations
(USA)

Implementation

Heartbleed

MAC

  • MAC types

    • hash-based MAC

    • universal MAC

  • MAC algorithms

MAC types

universal hash

hash-based

Message-Digest Algorithm 5

(MD5)

Poly1305
(POLY1305)

Secure Hash Algorithm 2

(SHA256, SHA384)

Secure Hash Algorithm 1

(SHA-1)

MAC

secure

collisions

Message-Digest Algorithm 5

(MD5)

Poly1305
(POLY1305)

Secure Hash Algorithm 2

(SHA256, SHA384)

Secure Hash Algorithm 1

(SHA-1)

TLS 1.3

  • What has changed?
    • Key Exchange
    • Authentication
    • Bulk Cipher
    • MAC Algorithm
    • Hash

Cipher Suites

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
    
  • TLS_CHACHA20_POLY1305_SHA256

Key Exchange

  • Finite Field Diffie-Hellman

    • not post-quantum safe

    • vulnerable to D(HE)at attack

  • Elliptic Curve Diffie-Hellman

    • not post-quantum safe

    • suspicious NISTP curves

Post Quantum

  • safe

    • hybrid EC algorithms
  • unsafe
    • finite field Diffie-Hellman (FFDH)
    • elliptic-curve Diffie-Hellman (ECDH)
    • RSA

D(HE)at Attack

  • DoS Attack against finite field DH

    • CVE-2002-20001

    • CVE-2022-40735

  • TLS 1.3 is particularly affected

    • negotiable key sizes

    • large key sizes by default

    • potentially long exponent sizes

Demo

Checkers

SaaS

On premise

Generators

Questions?

Why can't say that a TLS connection is certainly secure?

By Szilárd Pfeiffer

Why can't say that a TLS connection is certainly secure?

  • 59