Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Podmokov E.V.
Go to TLS:
information security
specialist's
view
1
Agenda
• History
• What’s it ?
• Two levels of TLS
• Security
• TLS 1.3
2
History
SSL 1.0-3.0 (…-1996)
TLS 1.0 or SSL 3.1 (1999)
TLS 1.1 (2006)
TLS 1.2 (2008)
TLS 1.3 (2017!?)
tlswg.github.io/tls1...
The Transport Layer Security protocol aims primarily to provide privacy and
data integrity between two communicating compu...
What’s it ?
App
Presentation
Session
Phy
Transport
Network
Data Link
TLS Higher handshake layer
Lower recording layer
5
Recording
6
Handshake
Client Server
7
Reconnection
Client Server
8
Client Server
False Start
9
Other
• ChangeCipherSpec
• Alert
• Application Data
10
Certificate Authority
@babayota_kun: habrahabr.ru/post/258285
Chain of trust
Certificate Revocation List
OCSP
11
TLS with ГОСТ
• ГОСТ Р 34.10-2012 (RFC 7091)
electronic digital signature
• ГОСТ Р 34.11-2012 (RFC 6986) hash
tc26.ru 12
BEAST TLS 1.0
Browser Exploit Against SSL/TLS
Main algo with CBC
Ci = E(Key, Mi xor Ci-1)
If all msg is equal
M1 = Ci-1 xo...
BEAST TLS 1.0
msg segmentation to blocks
[login: *][*******] [*******] …
14
CRIME TLS 1.0-1.1
nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/
details-on-the-crime-attack/ 15
BREACH
blackhat.com/us-13/briefings.html#Prado
MS Outlook WEB Access
GET /owa/?ae=Item&t=IPM.Note&a=New&id=
canary=<guess>...
Lucky-13 TLS 1.0-1.2
Padding-oracle based
cryptopro.ru/blog/2013/02/19/kriptopro-tls-protiv-schastlivogo-chisla-13 17
Heartbleed
• OpenSSL CVE-2014-0160
18
19
20
21
Others
FREAK & Logjam
POODLE (Padding Oracle On Downgraded
Legacy Encryption) - MITM
Sweet32
DROWN (Decrypting RSA with Ob...
TLS 1.3
• Not compatible to 1.2
• New handshake
• 0-RTT (round-trip time)
• metadata
23
Links
• TLS 1.3 tlswg.github.io/tls13-spec
• TLS details tls.dxdt.ru/tls.html
• DEV literature
blog.cloudflare.com/introdu...
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

1

Share

Egor Podmokov - TLS from security point of view

Download to read offline

Was first presented at rannts#16 meetup: https://rannts.ru/meetups/16/

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Egor Podmokov - TLS from security point of view

  1. 1. Podmokov E.V. Go to TLS: information security specialist's view 1
  2. 2. Agenda • History • What’s it ? • Two levels of TLS • Security • TLS 1.3 2
  3. 3. History SSL 1.0-3.0 (…-1996) TLS 1.0 or SSL 3.1 (1999) TLS 1.1 (2006) TLS 1.2 (2008) TLS 1.3 (2017!?) tlswg.github.io/tls13-spec 3
  4. 4. The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications. The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session (see TLS handshake protocol). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see Algorithm below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected). The identity of the communicating parties can be authenticated using public- key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server). The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission. What’s it ? 4
  5. 5. What’s it ? App Presentation Session Phy Transport Network Data Link TLS Higher handshake layer Lower recording layer 5
  6. 6. Recording 6
  7. 7. Handshake Client Server 7
  8. 8. Reconnection Client Server 8
  9. 9. Client Server False Start 9
  10. 10. Other • ChangeCipherSpec • Alert • Application Data 10
  11. 11. Certificate Authority @babayota_kun: habrahabr.ru/post/258285 Chain of trust Certificate Revocation List OCSP 11
  12. 12. TLS with ГОСТ • ГОСТ Р 34.10-2012 (RFC 7091) electronic digital signature • ГОСТ Р 34.11-2012 (RFC 6986) hash tc26.ru 12
  13. 13. BEAST TLS 1.0 Browser Exploit Against SSL/TLS Main algo with CBC Ci = E(Key, Mi xor Ci-1) If all msg is equal M1 = Ci-1 xor IV xor P C1 = E(Key, M1 xor IV) = = E(Key, (Ci-1 xor IV xor P) xor IV) = = E(Key, (Ci-1 xor P)) == Сi 13
  14. 14. BEAST TLS 1.0 msg segmentation to blocks [login: *][*******] [*******] … 14
  15. 15. CRIME TLS 1.0-1.1 nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/ details-on-the-crime-attack/ 15
  16. 16. BREACH blackhat.com/us-13/briefings.html#Prado MS Outlook WEB Access GET /owa/?ae=Item&t=IPM.Note&a=New&id= canary=<guess> <span id=requestUrl>https://malbot.net:443/owa/forms/ basic/BasicEditMessage.aspx?ae=Item&amp;t=IPM.Note &amp;a=New&amp;id=canary=<guess> </span> ... <td nowrap id="tdErrLgf"><a href="logoff.owa?canary=d634cda866f14c73ac135ae85 8c0d894">LogOff</a></td> Token CSRF 16
  17. 17. Lucky-13 TLS 1.0-1.2 Padding-oracle based cryptopro.ru/blog/2013/02/19/kriptopro-tls-protiv-schastlivogo-chisla-13 17
  18. 18. Heartbleed • OpenSSL CVE-2014-0160 18
  19. 19. 19
  20. 20. 20
  21. 21. 21
  22. 22. Others FREAK & Logjam POODLE (Padding Oracle On Downgraded Legacy Encryption) - MITM Sweet32 DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) THC-SSL-DOS …. 22
  23. 23. TLS 1.3 • Not compatible to 1.2 • New handshake • 0-RTT (round-trip time) • metadata 23
  24. 24. Links • TLS 1.3 tlswg.github.io/tls13-spec • TLS details tls.dxdt.ru/tls.html • DEV literature blog.cloudflare.com/introducing-tls-1-3 • Network blog.fourthbit.com/2014/12/23/traffic- analysis-of-an-ssl-slash-tls-session 24
  • RamakrishnaMaddela

    Oct. 8, 2017

Was first presented at rannts#16 meetup: https://rannts.ru/meetups/16/

Views

Total views

215

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

1

Shares

0

Comments

0

Likes

1

×