Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC316) SSL with Amazon Web Services | AWS re:Invent 2014

4,603 views

Published on

The SSL and TLS protocols are critical to online security and performance. This session discusses how the SSL and TLS protocols work and how they are integrated with many AWS services such as Amazon CloudFront, Elastic Load Balancing, and Amazon S3. Learn how technologies such as Perfect Forward Secrecy and HSTS can be used to protect end-user data, and why browsers and servers are now removing support for version 3 of the SSL protocol, SHA-1 signatures and some encryption algorithms such as RC4. By the end of the session you'll be able to understand each of these technologies and how to adapt to the changing security landscape.

Published in: Technology

(SEC316) SSL with Amazon Web Services | AWS re:Invent 2014

  1. 1. November 12, 2014 | Las Vegas, NV Colm MacCárthaigh, Amazon Web Services
  2. 2. Secrecy Tamper proofAuthentication
  3. 3. 1991 1994 1996 1999 2006 2008 2015
  4. 4. Bleichenbacher 1998 Vaudenay 2002 Pizza 2008 Reneg 2009 BEAST 2011 Alert 2012 CRIME 2012 POODLE 2014 2012 RSA-1024 2013 RC42004 MD5 SSLv2 1995 SHA1 2011 2013 Lucky13 2014 3SHAKE
  5. 5. 1991 1994 1996 1999 2006 2008 2015
  6. 6. 1991 1994 1996 1999 2006 2008 2015 Legacy Clients
  7. 7. Public/Private key encryption Shared key encryption Signatures Hashes/Check sums
  8. 8. colmmacc% ls -la /usr/bin/gcc -rwxr-xr-x 1 root wheel 14160 Sep 26 19:06 /usr/bin/gcc colmmacc% cat /usr/bin/gcc | shasum -a 256 24858b1cfa6ca73fd07ba4d5ea9df0e8f123930fbecff1541b13ca9522a34837 Hashes/Checksums
  9. 9. colmmacc% openssl speed rsa escdsa aes-128-cbc 67k/sec 133k/sec 747k/sec
  10. 10. Public/Private key encryption Signatures Hashes/Check sums
  11. 11. Internet Protocol Transmission Control Protocol TLS Application Protocol (HTTP, SMTP, SQL … )
  12. 12. 2Use public/private keys to authenticate and to establish a shared secret 3Use the shared secret to encrypt and decrypt data 1Say hello and agree on the algorithms to use
  13. 13. Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data Client Hello
  14. 14. Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data 2 31
  15. 15. Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data 1 3
  16. 16. Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  17. 17. Client protocol version, client time, 28 bytes of randomly generated data, Client choice of Cipher Suites (in order of preference) Server Name Indicator field Cached Session ID / Cached Session Ticket Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  18. 18. 2 3
  19. 19. Public/ Private Algorithm Perfect Forward Secrecy Shared Secret Algorithm Record Auth Algorithm
  20. 20. Protocol version to use, server time, 28 bytes of randomly generated data, The Cipher Suite to use Session ID / Session Ticket Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  21. 21. Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  22. 22. # Generate a 2048-bit RSA private key openssl genrsa –out privkey.pem 2048 # Generate a certificate signing request openssl req -new -key privkey.pem -out cert.csr Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  23. 23. # Generate an Elliptic Curve key openssl ecparam –out privkey.pem –name prime256v1 –genkey # Generate a certificate signing request openssl req -new -key privkey.pem -out cert.csr Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  24. 24. 2012 RSA-10242004 MD5 SHA1 2011
  25. 25. Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data Nov 2014 Jan 2015 Jan 2015 31 Dec 2015
  26. 26. Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  27. 27. O C S P Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  28. 28. Used for Perfect Forward Secrecy A Diffie-Hellman public parameter is generated and sent to the client Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  29. 29. Perfect forward secrecy version: Client sends another Diffie-Hellman parameter, encrypted using the server’s public key Legacy version: Client sends a secret, encrypted using the server’s public key Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  30. 30. We’re finished and ready to send encrypted data. There’s also a “Change cipher suite” message to initiate encryption. Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  31. 31. GET / HTTP/1.1 Host: aws.amazon.com Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Client Hello Server Hello Server Cert Server Key Client Key Client Finished Server Finished App Data App Data
  32. 32. Reneg 2009 2014 3SHAKE Pizza 2008
  33. 33. Public/ Private Algorithm Perfect Forward Secrecy Shared Secret Algorithm Record Auth Algorithm
  34. 34. Message Type Protocol Version Record Length Encrypted Message Type Protocol Version Record Length Encrypted Encrypted Encrypted
  35. 35. Message Type Protocol Version Record Length Encrypted Message Type Protocol Version Record Length Encrypted Encrypted Encrypted Message Type Protocol Version Record Length HMACData Message Type Protocol Version Record Length HMACData P A D
  36. 36. Bleichenbacher 1998 Vaudenay 2002 BEAST 2011 POODLE 2014 2013 RC42004 MD5 SHA1 2011 2013 Lucky13
  37. 37. Message Type Protocol Version Record Length Message Type Protocol Version Record Length Message Type Protocol Version Record Length HMACData Message Type Protocol Version Record Length Encrypted Initialization Vector Encrypted Encrypted TAG Data P A D Nonce
  38. 38. POODLE 2014
  39. 39. Message Type Protocol Version Record Length Encrypted Encrypted Encrypted Message Type Protocol Version Record Length HMACData PAD
  40. 40. Message Type Protocol Version Record Length Encrypted Encrypted Message Type Protocol Version Record Length HMACData PAD Encrypted
  41. 41. Message Type Protocol Version Record Length Encrypted Encrypted Encrypted Message Type Protocol Version Record Length HMAC PAD
  42. 42. BEAST 2011 POODLE 2014 Pizza 2008 CRIME 2012
  43. 43. GET / HTTP/1.1rnCookie:1 12
  44. 44. GET /a HTTP/1.1rnCookie: 1 21
  45. 45. ECDHE DHE No Perfect Forward Secrecy AES-128 AES-256 3DES RC4 ECDSA RSA GCM SHA128 SHA256 SHA1 MD5
  46. 46. ECDHE AES-128ECDSA GCM
  47. 47. ECDHE AES-128ECDSA SHA128
  48. 48. ECDHE AES-128ECDSA SHA256
  49. 49. ECDHE AES-128ECDSA SHA1
  50. 50. ECDHE AES-128ECDSA MD5
  51. 51. ECDHE AES-256 ECDSA GCM
  52. 52. No Perfect Forward Secrecy RC4 RSA SHA1
  53. 53. 11 NOV 12 NOV
  54. 54. H S T S Strict-Transport-Security: mag-age=15768000, includeSubdomains
  55. 55. http://mozilla.github.io/server-side-tls/ssl-config-generator/
  56. 56. http://aws.amazon.com/security SDD423 – Elastic Load Balancing Deep Dive PFC303 – Milliseconds Matter
  57. 57. http://bit.ly/awsevals

×