Secure communications are one of the most important topics in information security, and the Transport Layer Security (TLS) protocol is currently the most used protocol to provide secure communications on the internet. For example, when you are connecting to your online banking application, your favorite instant message application or social networks, all those communications are being transmitted using TLS. With TLS, the information sent by the browser and the service is secured and encrypted, meaning that the information cannot be modified or tampered with by an attacker. The communications are also verified to ensure that the browser is connected to the right endpoint (e.g. Wikipedia).
Presentation, called “Playback: A TLS 1.3 Story,” about some of the known security implications of using 0-RTT and will show proof of concepts of some attacks that have been seen in real-world environments. Attendees will learn about TLS 1.3 0-RTT, see some examples about how an attacker could take advantage of that new feature and get an understanding of the security implications of enabling the feature and how it could be used safely minimizing any potential security impacts.
Speakers:
Alfonso García Alguacil, Senior Penetration Tester at Cisco
Alejo Murillo Moya, Red Team Lead EMEAR @ Cisco
30. ANTI-REPLAY PROTECTIONS (JUL-2018)
Single-Use Tickets
0-RTT without
protections
Single-Use
Tickets
Client-Hello
Recording
Application
Profile
0-RTT not available
Different API for
handling 0-RTT
Other protections
0-RTT only on “safe”
methods
0-RTT only on “safe”
methods, no params
BoringSSL
Partial
(HTTP Header)
n/a
n/a
n/a
n/a
n/a
n/a
56. TOOL: HIGH-LEVEL DESCRIPTION
• Assumes a vantage point in the network
• Provides creation of templates for encrypted traffic.
• Supports the two attacks described on this presentation.
• Available at https://github.com/portcullislabs/tlsplayback
57. SIDE EFFECTS OF 0-RTT
• It is important to understand that 0-RTT creates a
dependency between the application and the
underlying TLS 1.3 protocol
• The application will need to be 0-RTT aware.
• Enabling 0-RTT could leave you application
vulnerable to replay attacks
• Ultimately, the last line of defence would be the
application itself.
58. MITIGATIONS
• Disable 0-RTT
• Ensure that your application does not allow
replays (e.g. strict CSRF). Ensure that REST services
are developed properly
• Create an strict application profile after careful
analysis
59. KEY TAKEAWAYS
• TLS 1.3 is awesome, but could lead to a
vulnerable application if 0-RTT is being used.
• Your application (not just webapps) needs to be
0-RTT-aware to prevent side effects
• You may need to change your application or
server/CDN configuration to protect against
replay attacks