1. TLS all the things!
Modern, robust & secure Transport Layer Security
configuration.
Wojciech Podgórski
keybase.io/wpodgorski
2. About me
• Senior software engineer at
• Siili Security Awareness Initiative
a.k.a. Security Church founder &
leader
• OWASP member
• Developer interested in information
security & cryptography
5. Why should we even care?
Authenticity
We know that we talk to the right party
Integrity
We know that what we say is not altered
Confidentiality
We know that what we say is kept secret
6. How does TLS secure communication
TLS employs the best of the both worlds of
symmetric and asymmetric cryptography to
protect communication. To achieve it TLS has to
implement following security mechanisms:
1. Authentication
2. Key exchange
3. Encryption & integrity
4. Forward secrecy
7. How TLS encrypts the traffic
Figure 1. Secure communication protocol overview. Adapted from “The Best TLS Training in the World” handouts,
by Ivan Ristić, conducted by Scott Helme, London 2018.
8. What is a certificate?
A certificate is a digital document that contains a
public key, information about the entity
associated with it, and a digital signature from
the certificate issuer.
Valid certificate can be considered as proof of
cryptographic identity of an entity associated
with it, validated by its issuer.
9. What is a certificate?
Certificate holds vital information but cannot be used
for entity validation by itself. The trust is built upon
chain of certificates that always leads to a trusted root.
Figure 2. Certificate chain. Adapted from “Bulletproof SSL and TLS”,
by Ivan Ristić, 2017.
11. What is a certificate?
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7900024253956031814 (0x6da28633ee050546)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Mar 13 18:47:19 2018 GMT
Not After : Jun 5 18:17:00 2018 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus: ...
12. Measuring strength of cryptography
The security of the ciphertext depends entirely on
the key.
If the key is selected from a large keyspace and
breaking the encryption requires iterating through
a prohibitively large number of possible keys, then
we say that a cipher is computationally secure.
Computationally secure simply means that it takes
too much time/effort to break.
13. Measuring strength of cryptography
• Cryptographic security is measured in number
of operations required to break cryptographic
primitive.
• Currently 128 bits (2128 operations) is
considered strong.
• Key size selection for key exchange is all about
the balance between security and
performance.
14. Measuring strength of cryptography
Table 1. Security levels and equivalent strength in bits, accustomed from ECRYPT2 (2012).
Adapted from “Bulletproof SSL and TLS”, by Ivan Ristić, 2017.
15. Authentication & key exchange
The first decision to make when deploying TLS is which key
algorithm to choose, choices are:
• RSA - universally supported, but do not scale well
• DSA - abandoned, insecure, keys limited to 1024 bits (equiv.
~77 bits)
• ECDSA - modern, fastest, most secure, not supported by
older clients
It is possible to have RSA and ECDSA at the same time,
although not all server software supports it.
16. Authentication & key exchange
Once the key algorithm is selected, key length has
to be chosen:
• Minimum RSA key size is 2048 bits (equiv. ~112
bits). To achieve roughly 128 bits of security 3072
bit long key is required which is substantially
slower.
• Minimum ECDSA key size is 256 bits (equiv. 128
bits)
• It is worth to notice that 512 bit ECDSA ≈ 15,424
RSA ≈ 256 bits of security.
17. Encryption & integrity
TLS supports all types of encryption: block,
stream and authenticated ciphers.
Integrity validation is part of the encryption
process. It is handled either explicitly at the
protocol level via Message Authentication Code
(MAC) or implicitly by the negotiated cipher via
Pseudo Random Function (PRF).
18. Encryption & integrity
When selecting encryption algorithm remember
to:
• Favor authenticated encryption cipher suites
(GCM or CCM).
• Use AES (block or authenticated) and/or
ChaCha20 (stream) ciphers suites.
• Do not use weak (e.g. 3DES – 112 bits of
security at max) or insecure ciphers (e.g. RC4).
19. The anatomy of the cipher suite
Cipher suite is a key component of TLS configuration.
It constitutes a selection of cryptographic primitives
and parameters that define how the security of the
communication will be implemented.
Currently there are more than 300 official cipher suites
which can be found at IANA TLS Parameters page.
20. The anatomy of the cipher suite
• Authentication method
• Key exchange method
• Encryption algorithm
• Encryption key size
• Cipher mode (when applicable)
• MAC algorithm (when applicable)
• Pseudo Random Function (PRF) (TLS 1.2)
• Hash function used for the Finished message (TLS 1.2, RFC only)
• Length of the verify_data structure (TLS 1.2, RFC only)
21. The anatomy of the cipher suite
Figure 3. Cipher suite name construction. Adapted from “Bulletproof SSL and TLS”, by Ivan Ristić, 2017.
22. The anatomy of the cipher suite
Table 2. Examples of cipher suite names and their security properties.
Adapted from “Bulletproof SSL and TLS”, by Ivan Ristić, 2017.
24. Demo setup
• nginx 1.12.2 (stable) or 1.13.11 (mainline)
• openssl 1.0.2o (LTS) or 1.1.0h (stable)
• acme-tine 4.0.3
Additionally, if you want to statically compile nginx with
newer version of OpenSSL:
• gcc
• pcre 8.40
• zlib 1.2.11
25. Taking the next step
Learn
• SSL/TLS and PKI History
• OpenSSL Cookbook
• Bulletproof SSL and TLS
• The Best TLS Training in the World
• badssl.com
26. Taking the next step
Configure & deploy
• SSL and TLS Deployment Best Practices
• HTTPS Cheat Sheet
• OWASP TLS Cheat Sheet
• Cipherli.st - Strong Ciphers for Apache, nginx
and Lighttpd
• Mozilla SSL Configuration Generator
27. Taking the next step
Validate
• SSL Server Test
• Security Headers
• Hardenize: Making web site security ease and
fun
• Rebex SSH Check
• /bin/bash based SSL/TLS tester: testssl.sh