Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Egor Podmokov - TLS from security point of view

73 views

Published on

Was first presented at rannts#16 meetup: https://rannts.ru/meetups/16/

Published in: Engineering
  • Be the first to comment

Egor Podmokov - TLS from security point of view

  1. 1. Podmokov E.V. Go to TLS: information security specialist's view 1
  2. 2. Agenda • History • What’s it ? • Two levels of TLS • Security • TLS 1.3 2
  3. 3. History SSL 1.0-3.0 (…-1996) TLS 1.0 or SSL 3.1 (1999) TLS 1.1 (2006) TLS 1.2 (2008) TLS 1.3 (2017!?) tlswg.github.io/tls13-spec 3
  4. 4. The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session (see TLS handshake protocol). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see Algorithm below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected). The identity of the communicating parties can be authenticated using public- key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server). The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission. What’s it ? 4
  5. 5. What’s it ? App Presentation Session Phy Transport Network Data Link TLS Higher handshake layer Lower recording layer 5
  6. 6. Recording 6
  7. 7. Handshake Client Server 7
  8. 8. Reconnection Client Server 8
  9. 9. Client Server False Start 9
  10. 10. Other • ChangeCipherSpec • Alert • Application Data 10
  11. 11. Certificate Authority @babayota_kun: habrahabr.ru/post/258285 Chain of trust Certificate Revocation List OCSP 11
  12. 12. TLS with ГОСТ • ГОСТ Р 34.10-2012 (RFC 7091) electronic digital signature • ГОСТ Р 34.11-2012 (RFC 6986) hash tc26.ru 12
  13. 13. BEAST TLS 1.0 Browser Exploit Against SSL/TLS Main algo with CBC Ci = E(Key, Mi xor Ci-1) If all msg is equal M1 = Ci-1 xor IV xor P C1 = E(Key, M1 xor IV) = = E(Key, (Ci-1 xor IV xor P) xor IV) = = E(Key, (Ci-1 xor P)) == Сi 13
  14. 14. BEAST TLS 1.0 msg segmentation to blocks [login: *][*******] [*******] … 14
  15. 15. CRIME TLS 1.0-1.1 nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/ details-on-the-crime-attack/ 15
  16. 16. BREACH blackhat.com/us-13/briefings.html#Prado MS Outlook WEB Access GET /owa/?ae=Item&t=IPM.Note&a=New&id= canary=<guess> <span id=requestUrl>https://malbot.net:443/owa/forms/ basic/BasicEditMessage.aspx?ae=Item&amp;t=IPM.Note &amp;a=New&amp;id=canary=<guess> </span> ... <td nowrap id="tdErrLgf"><a href="logoff.owa?canary=d634cda866f14c73ac135ae85 8c0d894">LogOff</a></td> Token CSRF 16
  17. 17. Lucky-13 TLS 1.0-1.2 Padding-oracle based cryptopro.ru/blog/2013/02/19/kriptopro-tls-protiv-schastlivogo-chisla-13 17
  18. 18. Heartbleed • OpenSSL CVE-2014-0160 18
  19. 19. 19
  20. 20. 20
  21. 21. 21
  22. 22. Others FREAK & Logjam POODLE (Padding Oracle On Downgraded Legacy Encryption) - MITM Sweet32 DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) THC-SSL-DOS …. 22
  23. 23. TLS 1.3 • Not compatible to 1.2 • New handshake • 0-RTT (round-trip time) • metadata 23
  24. 24. Links • TLS 1.3 tlswg.github.io/tls13-spec • TLS details tls.dxdt.ru/tls.html • DEV literature blog.cloudflare.com/introducing-tls-1-3 • Network blog.fourthbit.com/2014/12/23/traffic- analysis-of-an-ssl-slash-tls-session 24

×