Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OSDC 2018 | Hitchhiker’s guide to TLS 1.3 and GnuTLS by Ander Juaristi Alamos

103 views

Published on

TLS 1.3 is so different from its predecessors, some argue it should’ve been called TLS 2.0. TLS 1.3 comes with a number of new features that may or may not benefit datacenter deployment, depending on the use case. It also streamlines key establishment, making TLS 1.3 simpler, and more secure. It may be the best TLS so far, but in spite of its simplicity fitting it into the current GnuTLS API has been no easy task. This talk gives an overview of what to expect from TLS 1.3, tours around GnuTLS, its interfaces and its internal structure, and explains how we went on redesigning the current API to support TLS 1.3, without breaking anything and of course keeping backward compatibility. Our design principle: TLS 1.3 is simple – so should the interface.

Published in: Software
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1lite.top/2vxumo ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

OSDC 2018 | Hitchhiker’s guide to TLS 1.3 and GnuTLS by Ander Juaristi Alamos

  1. 1. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Hitchhiker’s guide to TLS 1.3 and GnuTLS OSDC 2018, Berlin Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation June 12, 2018 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  2. 2. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Table of Contents I 1 Introduction 2 A Crypto Primer Forward Secrecy AEAD ciphers EtA vs. AtE AEAD ciphers 3 TLS 1.3 noteworthy features Anatomy of a TLS handshake TLS 1.3 Summary Some extras Cookies Encrypted extensions Arbitrary record padding 4 Pre-shared key schemes Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  3. 3. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Table of Contents II Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys 5 Session resumption TLS 1.3 Session tickets Problems with TLS 1.3 session tickets 6 Session ticket key rotation Problems with current implementations What have others done? What has GnuTLS done? 7 Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  4. 4. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 1 Introduction Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  5. 5. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Disclaimer We’ve implemented draft version -211 Some parts are not yet implemented, or partially implemented 1 https://tools.ietf.org/html/draft-ietf-tls-tls13-21 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  6. 6. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers 2 A Crypto Primer Forward Secrecy AEAD ciphers Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  7. 7. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers (Perfect) Forward Secrecy2 You can decrypt current (and hence, future) traffic, but not past. 2 ”It’s never perfect” - Bruce Schneier Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  8. 8. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers (Perfect) Forward Secrecy2 You can decrypt current (and hence, future) traffic, but not past. RSA is not forward-secret... 2 ”It’s never perfect” - Bruce Schneier Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  9. 9. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers (Perfect) Forward Secrecy2 You can decrypt current (and hence, future) traffic, but not past. RSA is not forward-secret... ...but can still be used for authentication. 2 ”It’s never perfect” - Bruce Schneier Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  10. 10. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers (Perfect) Forward Secrecy2 You can decrypt current (and hence, future) traffic, but not past. RSA is not forward-secret... ...but can still be used for authentication. TLS 1.3 supported ciphers Key exchange methods: Diffie-Hellman and pre-shared keys Signature schemes: RSASSA-PSS, RSA PKCS#1 v1.5, ECDSA, EdDSA, ... Pretty much anything you can use in a certificate. Just like before. 2 ”It’s never perfect” - Bruce Schneier Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  11. 11. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers Forward Secrecy What’s wrong with RSA? It lets you decrypt traffic at will at any point in the network. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  12. 12. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers Forward Secrecy What’s wrong with RSA? It lets you decrypt traffic at will at any point in the network. What’s wrong with RSA? Some industries are required to do this by law. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  13. 13. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE Encryption: Scrambles some text so that it cannot be read. Authentication: Generates a tag that makes sure some text wasn’t changed in transit. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  14. 14. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE Encryption: Scrambles some text so that it cannot be read. Authentication: Generates a tag that makes sure some text wasn’t changed in transit. You encrypt first? Or you authenticate first? Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  15. 15. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE Ciphertext MAC EtA (Ipsec) Plaintext MAC Ciphertext AtE (TLS) Plaintext Ciphertext MAC A&E (SSH) Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  16. 16. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE You encrypt first? Or you authenticate first? Correct answer is Encrypt-then-Authenticate (EtA) Ciphertext MAC Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  17. 17. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE But, what’s wrong with AtE? Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  18. 18. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE But, what’s wrong with AtE? Nothing, from a purist’s perspective. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  19. 19. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE But, what’s wrong with AtE? Nothing, from a purist’s perspective. It is even unconditionally secure with CBC or stream ciphers. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  20. 20. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE But, what’s wrong with AtE? Nothing, from a purist’s perspective. It is even unconditionally secure with CBC or stream ciphers. It is (somewhat) easier to use than EtA. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  21. 21. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE But, what’s wrong with AtE? Nothing, from a purist’s perspective. It is even unconditionally secure with CBC or stream ciphers. It is (somewhat) easier to use than EtA. But it is totally vulnerable to Padding Oracle Attacks Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  22. 22. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE But, what’s wrong with AtE? Nothing, from a purist’s perspective. It is even unconditionally secure with CBC or stream ciphers. It is (somewhat) easier to use than EtA. But it is totally vulnerable to Padding Oracle Attacks But, what’s wrong with AtE? Padding Oracle Attacks are the problem. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  23. 23. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers Summary of Padding Oracle attacks and their mitigations Attack Mitigation Vaudenay Merge decryption failed and bad record mac into one (bad record mac), but you still have timing issues that give rise to Lucky13 attacks. Lucky 13 Solved with EtA (or AEAD). Bard, BEAST Solved with the record splitting technique, or with EtA (or AEAD). POODLE Breaks SSL 3.0. Mitigation is, well... Not using SSL 3.0 at all. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  24. 24. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE EtA - Encrypt first, and then authenticate the ciphertext. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  25. 25. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE EtA - Encrypt first, and then authenticate the ciphertext. But SSL (and TLS) has historically been AtE Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  26. 26. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE EtA - Encrypt first, and then authenticate the ciphertext. But SSL (and TLS) has historically been AtE This gave rise to a whole bunch of problems, as explained. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  27. 27. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers EtA vs. AtE EtA - Encrypt first, and then authenticate the ciphertext. But SSL (and TLS) has historically been AtE This gave rise to a whole bunch of problems, as explained. Solutions Just changing to EtA was not trivial, so TLS 1.2 introduced the encrypt then mac extension (RFC 7366). Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  28. 28. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers AEAD ciphers AEAD: Authenticated Encryption with Associated Data. One single primitive performs both, simultaneously. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  29. 29. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers AEAD ciphers AEAD: Authenticated Encryption with Associated Data. One single primitive performs both, simultaneously. They’re not block ciphers, but modes of operation. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  30. 30. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers AEAD ciphers AEAD: Authenticated Encryption with Associated Data. One single primitive performs both, simultaneously. They’re not block ciphers, but modes of operation. You can build an AEAD primitive with Rijndael, Serpent, Twofish, etc. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  31. 31. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers AEAD ciphers Mode of operation Description Galois Counter mode (GCM) Does counter mode encryption + Galois field multiplication with each ciphertext block. But only accepts 128-bit blocks. Counter with CBC-MAC (CCM) mode Does counter mode + CBC- MAC. EAX mode Similar to CCM, with some im- provements and using OMAC instead of CBC-MAC. Offset Codebook (OCB) mode ”Sort of” counter mode. Very efficiently parallelizable. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  32. 32. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers AEAD ciphers’ interface Inputs to the AEAD encryption function: K - The secret key N - A nonce, different for each invocation P - The plaintext to be encrypted and authenticated A - The associated data, this will be authenticated but not encrypted typedef int (*aead_cipher_encrypt_func) (void *hd, const void *nonce, size_t, const void *auth, size_t, size_t tag, const void *plaintext, size_t, void *ciphertext, size_t); Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  33. 33. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Forward Secrecy AEAD ciphers Accelerated AEAD ciphers They can be accelerated with hardware-backed AES-NI or VIA Padlock instruction sets. vmovdqu 96(%rsp),%xmm2 vpclmulqdq $0x00,%xmm0,%xmm1,%xmm6 vmovdqu 96-32(%r9),%xmm3 vpxor %xmm7,%xmm6,%xmm6 vpunpckhqdq %xmm2,%xmm2,%xmm7 vpclmulqdq $0x11,%xmm0,%xmm1,%xmm1 vpxor %xmm2,%xmm7,%xmm7 vpxor %xmm9,%xmm1,%xmm1 vpclmulqdq $0x10,%xmm15,%xmm4,%xmm4 vmovdqu 128-32(%r9),%xmm15 vpxor %xmm5,%xmm4,%xmm4 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  34. 34. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras 3 TLS 1.3 noteworthy features Anatomy of a TLS handshake TLS 1.3 Summary Some extras Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  35. 35. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras TLS 1.3 full handshake ClientHello + key_share + pre_shared_key* + supported_versions ServerHello + key_share + pre_shared_key* + supported_versions Finished Finished Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  36. 36. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras TLS 1.3 noteworthy extensions key share: sends the Diffie-Hellman public value. It also advertises the named group it belongs to. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  37. 37. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras TLS 1.3 noteworthy extensions key share: sends the Diffie-Hellman public value. It also advertises the named group it belongs to. pre shared key: advertises a pre-shared key. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  38. 38. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras TLS 1.3 HelloRetryRequest ClientHello + key_share + pre_shared_key* + supported_versions ServerHello + key_share + pre_shared_key* + supported_versions Finished Finished ClientHello + key_share + pre_shared_key* + supported_versions HelloRetryRequest + key_share Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  39. 39. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras The TLS 1.3 handshake TLS 1.3 is negotiated with extensions. In TLS 1.3, ClientHello and ServerHello are very very minimalistic They could even be smaller - some fields are kept for backward compatibility Session ID is deprecated Compression methods are deprecated Cipher suites field is constrained to symmetric ciphers and hash only Version number is deprecated Version negotiation is done with ClientHello.legacy version + ServerHello.legacy version + supported versions extension Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  40. 40. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras The TLS 1.3 handshake Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  41. 41. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras TLS 1.3 - Summary TLS 1.3 ships with only 5 cipher suites! TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  42. 42. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras TLS 1.3 - Summary TLS 1.3 ships with only 5 cipher suites! TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 Summary Cleaner, simpler rewrite of TLS 1.2. Only Diffie-Hellman key exchange supported. Only AEAD ciphers supported for record protection. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  43. 43. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras TLS 1.3 cookies Cookies help mitigate DoS attacks. Server may abort the handshake, and send a HRR with a cookie Client must send the cookie back in the next ClientHello This makes sure the peer is reachable at that network address Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  44. 44. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras Encrypted extensions TLS extensions Some extensions are not security-related, nor required to establish cryptographic context. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  45. 45. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras Encrypted extensions TLS extensions Some extensions are not security-related, nor required to establish cryptographic context. Noteworthy encrypted extensions: server name (RFC 6066) ALPN (RFC 7301) early data (for 0-RTT) Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  46. 46. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras Arbitrary record padding Content 00 00 00 00 00 00 00 00 TLS record header Encrypted Application data Padding Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  47. 47. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras Arbitrary record padding Content 00 00 00 00 00 00 00 00 TLS record header Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  48. 48. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras Arbitrary record padding Content 00 00 00 00 00 00 00 00 TLS record header Content 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 TLS record header Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  49. 49. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Anatomy of a TLS handshake TLS 1.3 Summary Some extras Arbitrary record padding Content 00 00 00 00 00 00 00 00 TLS record header Content 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 TLS record header Content 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 TLS record header Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  50. 50. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys 4 Pre-shared key schemes Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  51. 51. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Pre-shared keys in TLS Two peers might already share a key. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  52. 52. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Pre-shared keys in TLS You need to securely distribute the keys to the parties You don’t have forward secrecy, either You need to have a key management policy... ...and you have to build it from scratch because the protocol doesn’t give it to you. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  53. 53. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Pre-shared keys in TLS You need to securely distribute the keys to the parties You don’t have forward secrecy, either You need to have a key management policy... ...and you have to build it from scratch because the protocol doesn’t give it to you. Pre-shared keys in TLS They’ve never been a first-class citizen in TLS. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  54. 54. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Pre-shared keys in TLS You need to securely distribute the keys to the parties You don’t have forward secrecy, either You need to have a key management policy... ...and you have to build it from scratch because the protocol doesn’t give it to you. Pre-shared keys in TLS They’ve never been a first-class citizen in TLS. Pre-shared keys are first-class in TLS 1.3 And now PSKs underpin two notable TLS 1.3 features: session resumption and 0-RTT. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  55. 55. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys A TLS 1.3 pre-shared key handshake ClientHello + key_share* + pre_shared_key* ServerHello + key_share* + pre_shared_key* Finished Finished Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  56. 56. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys TLS 1.3 pre shared key extension PSK 1 - Identity: "ander" - Obfuscated ticket age PSK 2 - Identity: "john" - Obfuscated ticket age PSK 3 - identity: "michael" - Obfuscated ticket age Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  57. 57. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys TLS 1.3 pre shared key extension PSK 1 - Identity: "ander" - Obfuscated ticket age PSK 2 - Identity: "john" - Obfuscated ticket age PSK 3 - identity: "michael" - Obfuscated ticket age Binder for PSK 1 Binder for PSK 2 Binder for PSK 3 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  58. 58. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack on TLS 1.3 PSKs TLS 1.3 PSKs (as of draft -28) are vulnerable to an enumeration attack. GitHub (TLS working group) pull requests: #11673 #11894 3 https://github.com/tlswg/tls13-spec/pull/1167 4 https://github.com/tlswg/tls13-spec/pull/1189 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  59. 59. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack on TLS 1.3 PSKs TLS 1.3 PSKs (as of draft -28) are vulnerable to an enumeration attack. GitHub (TLS working group) pull requests: #11673 #11894 Some other similar attacks: CVE-2003-0190 CVE-2006-5229 3 https://github.com/tlswg/tls13-spec/pull/1167 4 https://github.com/tlswg/tls13-spec/pull/1189 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  60. 60. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack on TLS 1.3 PSKs Excerpt from draft -28 Prior to accepting PSK key establishment, the server MUST validate the corresponding binder value [...] If this value is not present or does not validate, the server MUST abort the handshake. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  61. 61. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack - Step 1 ClientHello + key_share + pre_shared_key andrew michael nikos daiki henry jon eve mallory Connection aborted Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  62. 62. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack - Step 1 ClientHello + key_share + pre_shared_key andrew michael nikos daiki henry jon eve mallory Connection aborted Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  63. 63. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack - Step 2 ClientHello + key_share + pre_shared_key andrew michael nikos daiki ServerHello + key_share Finished Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  64. 64. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack - Step 2 ClientHello + key_share + pre_shared_key andrew michael nikos daiki ClientHello + pre_shared_key henry jon eve mallory Connection abortedServerHello + key_share Finished Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  65. 65. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys Enumeration attack - Step n ClientHello + key_share + pre_shared_key mallory Connection aborted Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  66. 66. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys How to use pre-shared keys in GnuTLS g n u t l s p s k s e r v e r c r e d e n t i a l s t c r e d s ; g n u t l s p s k a l l o c a t e s e r v e r c r e d e n t i a l s (& c r e d s ) ; g n u t l s p s k s e t s e r v e r c r e d e n t i a l s f u n c t i o n ( creds , m y c a l l b a c k f u n c t i o n ) ; g n u t l s c r e d e n t i a l s s e t ( s e s s i o n , GNUTLS CRD PSK , c r e d s ) ; Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  67. 67. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys The GnuTLS approach Always consider the first PSK identity only, not matter how many PSKs were advertised by the client. If PSK identity was not found, generate a random PSK. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  68. 68. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Pre-shared keys in TLS 1.3 Attacks in TLS 1.3 pre-shared keys The GnuTLS approach i d e n t i t y = Take the f i r s t PSK i d e n t i t y a d v e r t i s e d I f i d e n t i t y was found Then psk = R e t r i e v e PSK a s s o c i a t e d to i d e n t i t y Else psk = Generate a random PSK End Use psk f o r TLS handshake Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  69. 69. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets 5 Session resumption TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  70. 70. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets A TLS 1.3 full handshake ClientHello Cipher suite DH params (other stuff) ServerHello Selected ciphers DH params Certificate chain (other stuff) Finished Finished Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  71. 71. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets A session resumption handshake ClientHello Information from a previous session Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  72. 72. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Session IDs and session tickets You need to store the session information somewhere. In the server - Session IDs In the client - Session tickets Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  73. 73. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Session IDs and session tickets You need to store the session information somewhere. In the server - Session IDs In the client - Session tickets Session IDs are deprecated in TLS 1.3 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  74. 74. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets What’s in a session ticket? PRF (hash function) This is the hash function of the cur- rent session. Ticket age add The ticket age add value. Ticket lifetime Ticket’s TTL. This can be set with gnutls db set cache expiration(). Ticket nonce A unique per-ticket value. Resumption master se- cret RMS of the current session. It’s used to generate the keys for the next (re- sumed) session. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  75. 75. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Session tickets Ticket is then encrypted and authenticated (EtA) and sent to the peer. GnuTLS uses the RFC 5077 format for session tickets. Tickets are sent in the clear, but they’re encrypted with a key only the server knows. 5 5 This can lead to problems, as we’ll see. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  76. 76. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Session tickets 2 bytes Length measured in bytes key_name (16 bytes) IV (16 bytes) MAC (32 bytes) ticket (variable length) Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  77. 77. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets GnuTLS - Client side g n u t l s s e s s i o n t s e s s i o n ; g n u t l s d a t u m t s e s s i o n d a t a ; g n u t l s i n i t (& s e s s i o n , GNUTLS CLIENT ) ; r e a d s e s s i o n d a t a f i l e ( s e s s f i l e , &s e s s i o n d a t a ) ; g n u t l s s e s s i o n s e t d a t a ( s e s s i o n , s e s s i o n d a t a . data , s e s s i o n d a t a . s i z e ) ; do { r e t = gnutls handshake ( s e s s i o n ) ; } while ( r e t < 0 && ! g n u t l s e r r o r i s f a t a l ( r e t ) ) ; /∗ Send/Recv data here ∗/ g n u t l s g e t s e s s i o n d a t a 2 ( s e s s i o n , &s e s s i o n d a t a ) ; Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  78. 78. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets GnuTLS - Server side g n u t l s s e s s i o n t s e s s i o n ; g n u t l s d a t u m t s t e k ; g n u t l s i n i t (& s e s s i o n , GNUTLS SERVER ) ; g n u t l s s e s s i o n t i c k e t k e y g e n e r a t e (& s t e k ) ; g n u t l s s e s s i o n t i c k e t e n a b l e s e r v e r ( s e s s i o n , &s t e k ) ; do { r e t = gnutls handshake ( s e s s i o n ) ; } while ( r e t < 0 && ! g n u t l s e r r o r i s f a t a l ( r e t ) ) ; // // Send/Recv data here // g n u t l s b y e ( s e s s i o n ) ; g n u t l s d e i n i t ( s e s s i o n ) ; Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  79. 79. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets GnuTLS - Server side gnutls ticket key generate() - Generates a suitable ticket encryption key. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  80. 80. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets GnuTLS - Server side gnutls ticket key generate() - Generates a suitable ticket encryption key. gnutls session ticket enable server() - Tell GnuTLS we want to use session tickets with the provided key, if possible. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  81. 81. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Problems with TLS 1.3 session tickets Pre-shared keys == Session tickets In TLS 1.3, pre-shared keys and session tickets are equal to an observer Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  82. 82. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Problems with TLS 1.3 session tickets ClientHello + pre_shared_key andrew michael nikos ServerHello + pre_shared_key Index: 0 Finished Finished ClientHello + pre_shared_key 0xAD08BFD7 CBFE804B A9E4F... ServerHello + pre_shared_key Index: 0 Finished Finished TLS 1.3 pre-shared key handshake TLS 1.3 session resumption Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  83. 83. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Problems with TLS 1.3 session tickets ClientHello + pre_shared_key andrew michael nikos ServerHello + pre_shared_key Index: 0 Finished Finished ClientHello + pre_shared_key 0xAD08BFD7 CBFE804B A9E4F... ServerHello + pre_shared_key Index: 0 Finished Finished TLS 1.3 pre-shared key handshake TLS 1.3 session resumption This is the session ticket Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  84. 84. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Pre-shared keys == Session tickets In TLS 1.3, pre-shared keys and session tickets are equal to an observer Problem Then, how do you tell them apart? Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  85. 85. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Pre-shared keys == Session tickets In TLS 1.3, pre-shared keys and session tickets are equal to an observer Problem Then, how do you tell them apart? You don’t. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  86. 86. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart Remember the obfuscated ticket age field? Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  87. 87. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart Excerpt from the -28 draft For identities established externally an obfuscated_ticket_age of 0 SHOULD be used, and servers MUST ignore the value. https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.2.11 Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  88. 88. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart The GnuTLS approach GnuTLS currently relies on the obfuscated ticket age being zero to tell apart pre-shared keys and session tickets. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  89. 89. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart I f ob . t i c k e t age == 0 Then Take i t as an i d e n t i t y . I f psk i s not found Then Abort End Else Take i t as a s e s s i o n t i c k e t . I f ( t i c k e t does not decrypt ) or ( t i c k e t i s s t a l e then ) Abort End End Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  90. 90. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart What else could be done? Other approaches: Reverse procedure - Treat it as a ticket first, and if decryption fails (+ MAC verification) only then treat it as a PSK. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  91. 91. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart What else could be done? Other approaches: Reverse procedure - Treat it as a ticket first, and if decryption fails (+ MAC verification) only then treat it as a PSK. But it’s not clear how this would work with multiple ticket keys Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  92. 92. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart What else could be done? Other approaches: Reverse procedure - Treat it as a ticket first, and if decryption fails (+ MAC verification) only then treat it as a PSK. But it’s not clear how this would work with multiple ticket keys Use the ticket name field (RFC 5077) Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  93. 93. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.3 Session tickets Problems with TLS 1.3 session tickets Telling session tickets and PSKs apart 2 bytes Length measured in bytes key_name (16 bytes) IV (16 bytes) MAC (32 bytes) ticket (variable length) Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  94. 94. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? 6 Session ticket key rotation Problems with current implementations What have others done? What has GnuTLS done? Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  95. 95. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? How are session tickets generated in practice? Sad truth. Tickets are always encrypted with the same key. Session tickets are not forward secret. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  96. 96. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? How are session tickets generated in practice? Sad truth. Tickets are always encrypted with the same key. Session tickets are not forward secret. Even though they could be. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  97. 97. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? How are session tickets generated in practice? Sad truth. Tickets are always encrypted with the same key. Session tickets are not forward secret. Even though they could be. Excerpt from RFC 5077 The keys and cryptographic protection algorithms should be at least 128 bits in strength. [...] The keys should be changed regularly. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  98. 98. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? How are session tickets generated in practice? Problem But implementations either ignore it, or make it very hard to do it properly. Hence in practice, all the keys are always 128 bits and never rotated. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  99. 99. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? Apache and Nginx Apache: Will generate a fresh random key at start Good: Always kept in memory Nginx: pretty similar in all aspects. Tim Taubert, ”The sad state of server-side TLS session resumption implementations” https://timtaubert.de/blog/2014/11/the-sad- state-of-server-side-tls-session-resumption-implementations/ Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  100. 100. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? Apache and Nginx Apache: Will generate a fresh random key at start Good: Always kept in memory Bad: There’s no way to rotate it (well, without restarting) Nginx: pretty similar in all aspects. Tim Taubert, ”The sad state of server-side TLS session resumption implementations” https://timtaubert.de/blog/2014/11/the-sad- state-of-server-side-tls-session-resumption-implementations/ Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  101. 101. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? Apache and Nginx Apache: Will generate a fresh random key at start Good: Always kept in memory Bad: There’s no way to rotate it (well, without restarting) You also have SSLSessionTicketKeyFile, but doesn’t solve the problem either. Nginx: pretty similar in all aspects. Tim Taubert, ”The sad state of server-side TLS session resumption implementations” https://timtaubert.de/blog/2014/11/the-sad- state-of-server-side-tls-session-resumption-implementations/ Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  102. 102. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? A case study - Twitter Key generator servers Front-end servers Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  103. 103. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? A case study - Twitter Key generator servers Front-end servers SSH SSH SSH Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  104. 104. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach Assumptions: Legacy applications will keep on being... well, legacy. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  105. 105. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach Assumptions: Legacy applications will keep on being... well, legacy. They first call gnutls session ticket key generate. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  106. 106. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach Assumptions: Legacy applications will keep on being... well, legacy. They first call gnutls session ticket key generate. And then gnutls session ticket enable server. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  107. 107. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach Assumptions: Legacy applications will keep on being... well, legacy. They first call gnutls session ticket key generate. And then gnutls session ticket enable server. Hence, best approach would be letting GnuTLS derive new additional keys from the initial key. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  108. 108. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS algorithm for automatic ticket key rotation: 1 You set the key with gnutls session ticket enable server. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  109. 109. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS algorithm for automatic ticket key rotation: 1 You set the key with gnutls session ticket enable server. 2 GnuTLS uses that key to encrypt/decrypt tickets, but... Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  110. 110. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS algorithm for automatic ticket key rotation: 1 You set the key with gnutls session ticket enable server. 2 GnuTLS uses that key to encrypt/decrypt tickets, but... 3 ...it generates a new key from it every X seconds. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  111. 111. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS algorithm for automatic ticket key rotation: 1 You set the key with gnutls session ticket enable server. 2 GnuTLS uses that key to encrypt/decrypt tickets, but... 3 ...it generates a new key from it every X seconds. 4 You can set X with gnutls db set cache expiration. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  112. 112. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS algorithm for automatic ticket key rotation: 1 You set the key with gnutls session ticket enable server. 2 GnuTLS uses that key to encrypt/decrypt tickets, but... 3 ...it generates a new key from it every X seconds. 4 You can set X with gnutls db set cache expiration. Formula to derive new key T = floor currenttime − T0 X Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  113. 113. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS keeps a circular buffer in memory with space for n keys. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  114. 114. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS keeps a circular buffer in memory with space for n keys. When a new key is generated, is it placed in the buffer. Older keys are still kept in memory to decrypt incoming tickets. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  115. 115. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach GnuTLS keeps a circular buffer in memory with space for n keys. When a new key is generated, is it placed in the buffer. Older keys are still kept in memory to decrypt incoming tickets. The buffer eventually gets over its head, overwriting old keys. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  116. 116. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach Gotchas (a.k.a. Work In Progress): What happens if you have more than one server? All frontend servers would need to get access to the same set of keys. Maybe some serialization/deserialization functions would help here? Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  117. 117. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 Problems with current implementations What have others done? What has GnuTLS done? The GnuTLS approach Gotchas (a.k.a. Work In Progress): What happens if you have more than one server? All frontend servers would need to get access to the same set of keys. Maybe some serialization/deserialization functions would help here? Could we avoid the need of an in-memory circular buffer? Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  118. 118. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 7 Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  119. 119. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT TLS 1.2 False Start ClientHello Supported algs. ServerHello Selected alg. ServerKeyExchange Key share ClientKeyExchange Key share ChangeCipherSpec Application data GET / HTTP/1.1 ChangeCipherSpec Finished Finished Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  120. 120. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT TLS 1.2 False Start g n u t l s s e s s i o n t s e s s i o n ; g n u t l s i n i t (& s e s s i o n , GNUTLS CLIENT | GNUTLS ENABLE FALSE START ) ; do { r e t = gnutls handshake ( s e s s i o n ) ; } while ( r e t < 0 && ! g n u t l s e r r o r i s f a t a l ( r e t ) ) ; f l a g s = g n u t l s s e s s i o n g e t f l a g s ( s e s s i o n ) ; i f ( f l a g s & GNUTLS SFLAGS FALSE START) { // // Send F a l s e S t a r t data here // } Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  121. 121. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT TLS 1.3 0-RTT TLS False Start cut the handshake from 2 RTTs to 1 RTT. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  122. 122. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT TLS 1.3 0-RTT TLS False Start cut the handshake from 2 RTTs to 1 RTT. TLS 1.3 0-RTT, allows us to cut from 1 RTT to 0 RTT. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  123. 123. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT TLS 1.3 0-RTT If we already share a key from an earlier session, ... Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  124. 124. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT TLS 1.3 0-RTT If we already share a key from an earlier session, ... ... we can start sending data right away. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  125. 125. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT TLS 1.3 0-RTT If we already share a key from an earlier session, ... ... we can start sending data right away. The key could actually be a session ticket. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  126. 126. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT ClientHello + key_share* + pre_shared_key + early_data Application data GET / HTTP/1.1 ServerHello + key_share* + pre_shared_key + early_data* Finished Application data HTTP/1.1 200 OK Finished Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  127. 127. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security 0-RTT 0-RTT saves a round trip for some application data at the cost of certain security properties Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  128. 128. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security 0-RTT 0-RTT saves a round trip for some application data at the cost of certain security properties Condition: Peers must share a pre-shared key beforehand Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  129. 129. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security 0-RTT 0-RTT saves a round trip for some application data at the cost of certain security properties Condition: Peers must share a pre-shared key beforehand Limitations: It’s not forward secret Vulnerable to replay attacks between connections Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  130. 130. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security 0-RTT 0-RTT saves a round trip for some application data at the cost of certain security properties Condition: Peers must share a pre-shared key beforehand Limitations: It’s not forward secret Vulnerable to replay attacks between connections In general: beware of idempotent requests! Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  131. 131. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security Single-use tickets: Tickets can only be used once. When you receive a ticket and do 0-RTT, you discard it and issue a new one. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  132. 132. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security Single-use tickets: Tickets can only be used once. When you receive a ticket and do 0-RTT, you discard it and issue a new one. But this takes server space. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  133. 133. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security Single-use tickets: Tickets can only be used once. When you receive a ticket and do 0-RTT, you discard it and issue a new one. But this takes server space. Client Hello recording: Server stores ClientHellos for which 0-RTT has already been done. If we receive another 0-RTT for one of those, discard it. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  134. 134. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security Single-use tickets: Tickets can only be used once. When you receive a ticket and do 0-RTT, you discard it and issue a new one. But this takes server space. Client Hello recording: Server stores ClientHellos for which 0-RTT has already been done. If we receive another 0-RTT for one of those, discard it. But this also takes server space Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  135. 135. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security Single-use tickets: Tickets can only be used once. When you receive a ticket and do 0-RTT, you discard it and issue a new one. But this takes server space. Client Hello recording: Server stores ClientHellos for which 0-RTT has already been done. If we receive another 0-RTT for one of those, discard it. But this also takes server space Freshness checks: Store the ticket creation time in the ticket itself. Discard 0-RTTs for ”old” tickets. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  136. 136. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT 0-RTT security Single-use tickets: Tickets can only be used once. When you receive a ticket and do 0-RTT, you discard it and issue a new one. But this takes server space. Client Hello recording: Server stores ClientHellos for which 0-RTT has already been done. If we receive another 0-RTT for one of those, discard it. But this also takes server space Freshness checks: Store the ticket creation time in the ticket itself. Discard 0-RTTs for ”old” tickets. Managing the window can be tricky. You might get billions of replays in that time. Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS
  137. 137. Introduction A Crypto Primer TLS 1.3 noteworthy features Pre-shared key schemes Session resumption Session ticket key rotation Speeding up TLS 1.2 and 1.3 TLS 1.2 False Start TLS 1.3 0-RTT The end Thank you! Acknowledgements: Nikos Mavrogiannopoulos Daiki Ueno Hubert Kario Daniel Kahn Gillmor The Twitter guys Sample code: https://gitlab.com/juaristi/osdc18-demos Forward Secrecy at Twitter: https://blog.twitter.com/engineering/en us/a/2013/forward- secrecy-at-twitter.html Ander Juaristi a@juaristi.eus Tecnalia, Research & Innovation Hitchhiker’s guide to TLS 1.3 and GnuTLS

×