Why can't say that
a TLS connection is
certainly secure?

Szilárd Pfeiffer

Security Researcher & Evangelist

Why can't say that
a TLS connection is
certainly secure?

Szilárd Pfeiffer

Security Researcher & Evangelist

Threats

Cryptographic Protocols
- Theoretical flaws
- Implementation flaws
Cryptographic Primitives
- Theoretical flaws
- Implementation flaws
- Performance issues
- Political factors

Building Blocks

TLS

protocol

_ECDHE

_RSA

_AES_128_CBC

_SHA256

key agreement

authentication

bulk encryption

integrity

Protocol Versions

possibly secure

insecure

SSL (2.0, 3.0)

TLS 1.2

weak

early TLS (1.0, 1.1)

secure

TLS 1.3

Supported Versions

Best Versions

Politics

DROWN

ratio

affected sites

top 1M website

25%

all websites

33%

Yahoo

Alibaba
Flickr

Samsung

NBA
Asus
Banggood

Apache

Theory

POODLE

Theory

CRIME

Fallback SCSV

Key Agreement

Forward Secrecy
- ephemeral
- static

Forward Secrecy

secure

weak

Diffie-Hellman

(DH)

Rivest-Shamir-Adleman

(RSA)

Elliptic-curve Diffie-Hellman
(ECDH)

Elliptic-curve

Diffie-Hellman Ephemeral
(ECDHE)

Diffie-Hellman Ephemeral

(DHE)

not used

Key Sizes

Forward Secrecy

Authentication

Key types
- Digital Signature Algorithm (DSA)
- Rivest–Shamir–Adleman (RSA)
- Elliptic Curve DSA (ECDSA)
Key Sizes
Hash algorithms

Authentication

secure

insecure

anonymous

(NULL)

Rivest–Shamir–Adleman

(RSA)

Elliptic Curve

Digital Signature Algorithm
(ECDSA)

Digital Signature Algorithm

(DSA)

Edwards-Curve
Digital Signature Algorithm
(EdDSA)

not used

Key Sizes

Hash algorithms

Bulk Cipher

Block ciphers
- secure
- weak
- not used
Block cipher modes
Stream ciphers

Block Ciphers

secure

weak

Block Size of 64 bits

(DES, 3DES, GHOST, IDEA, RC2)

Advanced Encryption Standard

(AES128, AES256)

CBC mode only

(SEED)

not used

Far East

(ARIA, Camellia)

Stream Ciphers

secure

insecure

Rivest Cipher 4

(ARCFOUR/RC4)

ChaCha

(ChaCha20)

Rivest Cipher 4

Implementation

ROBOT

vendors

affected services

Facebook

PayPal

Citrix

Cisco

Palo Alto Networks

Symantec

FortiNet

Theory

Sweet32

ratio

affected sites

top 100.000

1.1%

top 1.000.000

0.5%

eBay

Nasdaq

Banco Mercantil

Union Bank

Ziraat Bank

Match

Walmart

Citrix

Politics

Export-grade ciphers
- key agreement
- block cipher
- block cipher mode

Politics

Logjam

ratio

top 1M website

8.4%

all websites

3.4%

SMTP servers

14.8%

POP3S servers

8.9%

IMAPS servers

8.4%

Politics

FREAK

ratio

14.000.000 sites

36.7%

U.S.A. sites

35%

affected orgs.

governmental organizations
(USA)

Implementation

Heartbleed

MAC

MAC types
- hash-based MAC
- universal MAC
MAC algorithms

MAC types

universal hash

hash-based

Message-Digest Algorithm 5

(MD5)

Poly1305
(POLY1305)

Secure Hash Algorithm 2

(SHA256, SHA384)

Secure Hash Algorithm 1

(SHA-1)

MAC

secure

collisions

Message-Digest Algorithm 5

(MD5)

Poly1305
(POLY1305)

Secure Hash Algorithm 2

(SHA256, SHA384)

Secure Hash Algorithm 1

(SHA-1)

TLS 1.3

What has changed?
- Key Exchange
- Authentication
- Bulk Cipher
- MAC Algorithm
- Hash

Cipher Suites

```
TLS_AES_256_GCM_SHA384
```
```
TLS_AES_128_GCM_SHA256
```

```
TLS_AES_128_CCM_SHA256
```
```
TLS_AES_128_CCM_8_SHA256
```

```
TLS_CHACHA20_POLY1305_SHA256
```

Key Exchange

Finite Field Diffie-Hellman
- not post-quantum safe
- vulnerable to D(HE)at attack
Elliptic Curve Diffie-Hellman
- not post-quantum safe
- suspicious NISTP curves

Post Quantum

safe
- hybrid EC algorithms
unsafe
- finite field Diffie-Hellman (FFDH)
- elliptic-curve Diffie-Hellman (ECDH)
- RSA

D(HE)at Attack

DoS Attack against finite field DH
- CVE-2002-20001
- CVE-2022-40735
TLS 1.3 is particularly affected
- negotiable key sizes
- large key sizes by default
- potentially long exponent sizes