Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rootconf2019

26 views

Published on

Lets talk about TLS 1.3

Published in: Software
  • Be the first to comment

  • Be the first to like this

Rootconf2019

  1. 1. Lets talk TLS 1.3 Huzaifa Sidhpurwala Red Hat Product Security Team
  2. 2. We are going to talk about: ● What is SSL/TLS and why is it so important? ● Security flaws affecting older versions of SSL/TLS ● What is new in TLS 1.3 (security, performance) ● Implementations
  3. 3. What is SSL/TLS a.k.a why do I care? ● Most used protocol on the internet. ● Currently all protocols are wrapped in SSL/TLS to secure them on internet. ● Most flaws found with SSL/TLS, higher attack surface. ● Most implemented protocol on the internet: OpenSSL, NSS, GnuTLS, java etc
  4. 4. Heartbleed ● First of its kind! ● Implementation flaw in heartbeat extension in OpenSSL ● Lead researchers to look deeper in SSL/TLS code.
  5. 5. LUCKY-13 ● Timing attack against CBC ● Known previously, but this time they found a novel way to exploit it. ● All open source SSL/TLS code was found to be vulnerable.
  6. 6. BEAST ● Affects TLS 1.0 and earlier. ● Purely a client-side flaw, normally affects browsers with malicious extensions. ● Can be used to predict plain text.
  7. 7. TLS 1.3 ? ● There were others as well... – CRIME – POODLE – SWEET-32
  8. 8. TLS 1.3 ? ● We need a new protocol designed from ground up with security in mind, rather than older “patched” versions.
  9. 9. TLS 1.3 ? ● Improvement in two major fields – Performance (with security in mind) – Security
  10. 10. TLS 1.3 performance ● Faster handshakes 1 2 3 4
  11. 11. TLS 1.3 performance ● TLS 1.3 handshake: 1 2 3 4
  12. 12. Session resumption with TLS ● Session identifiers: – Servers keep track of sessions via session ids. Client re-connects with session id to resume the session. ● Session tickets: – After handshake, a session ticket (blob of session key + associated data) encrypted with server key is sent to be stored with the client. – On resumption client presents this to the server.
  13. 13. Session resumption in TLS 1.3 ● Both of the previous methods are not obsolete. ● Replaced by PSK mode in TLS 1.3 ● “The idea is that after a session is established, the client and server can derive a shared secret called the “resumption master secret”. This can either be stored on the server with an id (session id style) or encrypted by a key known only to the server (session ticket style). This session ticket is sent to the client and redeemed when resuming a connection.”
  14. 14. TLS 1.3 performance ● Faster Session Resumptions 1 2 3 4
  15. 15. TLS 1.3 security ● Remove old and obsolete crypto – RSA – RC4, SHA1, MD5 (sloth) – CBC (lucky-13, poodle) – No compression (crime) – Remove PKCS #1 v1.5
  16. 16. TLS 1.3 security ● Add new crypto features – Anti-downgrade feature. – New session resumption features – New ECC curves – Privacy of certs during handshakes – ChaCha20/Poly1305
  17. 17. Implementations ● OpenSSL: OpenSSL-1.1.1 includes TLS 1.3 support. ● NSS 3.39 contains support for the final version of TLS 1.3 ● GnuTLS: 3.6.5 contains support for TLS 1.3
  18. 18. References: ● https://www.ietf.org/blog/tls13/ ● https://www.openssl.org/blog/blog/2017/05/04/ tlsv1.3/ ● https://nikmav.blogspot.com/2018/05/gnutls- and-tls-13.html ● https://access.redhat.com/blogs/766093/posts/2 975791 ● https://access.redhat.com/blogs/766093/posts/2 978671
  19. 19. Email: huzaifas@redhat.com Questions?

×