This document discusses various topics related to transport layer security (TLS) including:
- A brief history of TLS and its predecessors SSL.
- An overview of the TLS handshake process and how it establishes encryption between a client and server.
- Explanations of key TLS concepts like public-key cryptography, certificates, and different types of encryption.
- Performance considerations for TLS including reducing latency in the handshake process and optimizing TLS configuration.
- Methods for improving TLS performance such as using session tickets, TLS false start, HTTP/2, and content delivery networks.
26. @thisNatasha
7. Application Data HTTP /
IMAP
6. Data Presentation,
Encryption
SSL / TLS
5. Session and connection
management
-
4. Transport of packets and
streams
TCP / UDP
3. Routing and delivery of
datagrams on the Network
IP / IPSec
2. Local Data Connection Ethernet
1. Physical data connection
(cables)
CAT5
OSI Model
35. @thisNatasha@thisNatasha
6-10 messages
Handshake
Full handshake with server
authentication
- Exchange capabilities
- Agree on params
- Validate certs
- Agree master secret
- Verify handshake was not
modified
Abbreviated handshake
(resumes earlier session)
36. @thisNatasha
Handshake Flow
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key Exchange
Authentication Algorithm Strength Mode
Cipher MAC or PRF
TLS/HandshakeCheatSheet Key Exchange Method: creates the pre master secret.
Premaster secret is combined with PRF to create master
secret
RSA, DHE_RSA,
ECDHE_RSA,
ECDHE_ECDSA
Authentication Method: Uses public key crypto and
certificates public key together. Once certificate is
validated the client can used public key.
RSA or ECDSA
Certs: X.509, ASN.1
DER encoding.
Server
Hello,
Certificate
- Server selects cipher & compression
method
- Server send certificate
- Client authenticates
Key Exchange Pre-master secret exchanged between
client & server, client validates certificate
Master
Secret
Client & Server can compute Master Secret.
MAC Server verifies MAC, returns to client to
verify also.
Finished Handshake complete.
Client Hello Client sends TLS Version, Ciphersuites,
Compression methods
Ciphers, Standards and Terms
Encryption
3DES, AES, ARIA,
CAMELLIA, RC4, and
SEED
[1] Steam: adds MAC [2]
Block: adds IV and
padding after encryption
[3] Encryption (AEAD):
encryption and integrity
validation, using nonce,
no padding, no IV.
Master Secret
Pre-master secret:
combines params to
help client and server
create master secret.
Master Secret: both
server and client create
this from pre-master
secret to symmetrically
encrypt
Integrity Validation
PRF: Pseudorandom
Function. Takes a
secret, a seed, and a
unique label. TLS1.2
suites use PRF based
on HMAC and SHA256
MAC: used for integrity
validation in handshake
and record.
44. @thisNatasha@thisNatasha
Key Exchange
Depends on negotiated algorithm
suite and algorithm
- RSA: attackers can de-encrypt
everything if has server private
key, being replaced
- DHE_RSA: has forward secrecy but
slow
- ECDHE_RSA and ECDHE_ECDSA: Fast and
forward secrecy. Can be used with
RSA or ECDSA
- Server speaks first
- Server sends params and signature
of params for authentication
45. @thisNatasha@thisNatasha
Authentication
Certificate + Public Key
Coupled with Key Exchange
Public Key Crypto (RSA or ECDSA)
RSA method:
- Client creates a random value as
premaster secret
- Encrypts with public key
- Server decrypts
- Constructs Session Keys
- Finished.
48. @thisNatasha
Handshake Flow
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key Exchange
Authentication Algorithm Strength Mode
Cipher MAC or PRF
TLS/HandshakeCheatSheet Key Exchange Method: creates the pre master secret.
Premaster secret is combined with PRF to create master
secret
RSA, DHE_RSA,
ECDHE_RSA,
ECDHE_ECDSA
Authentication Method: Uses public key crypto and
certificates public key together. Once certificate is
validated the client can used public key.
RSA or ECDSA
Certs: X.509, ASN.1
DER encoding.
Server
Hello,
Certificate
- Server selects cipher & compression
method
- Server send certificate
- Client authenticates
Key Exchange Pre-master secret exchanged between
client & server, client validates certificate
Master
Secret
Client & Server can compute Master Secret.
MAC Server verifies MAC, returns to client to
verify also.
Finished Handshake complete.
Client Hello Client sends TLS Version, Ciphersuites,
Compression methods
Ciphers, Standards and Terms
Encryption
3DES, AES, ARIA,
CAMELLIA, RC4, and
SEED
[1] Steam: adds MAC [2]
Block: adds IV and
padding after encryption
[3] Encryption (AEAD):
encryption and integrity
validation, using nonce,
no padding, no IV.
Master Secret
Pre-master secret:
combines params to
help client and server
create master secret.
Master Secret: both
server and client create
this from pre-master
secret to symmetrically
encrypt
Integrity Validation
PRF: Pseudorandom
Function. Takes a
secret, a seed, and a
unique label. TLS1.2
suites use PRF based
on HMAC and SHA256
MAC: used for integrity
validation in handshake
and record.
69. @thisNatasha
Optimise TCP
- initcwnd around 10 segments
- Slow start can restart, even after 1 second
- Keep TCP Connections Open: Use Keep Alives (HTTP1.1)
83. @thisNatasha@thisNatasha
Optimising the Handshake
Key Size: Longer keys
- better protection
- More CPU intensive
Key Algorithm: RSA sucks.
- RSA required strength too slow
- ECDSA faster (3072 bit RSA)
Key Exchange: RSA, DHE or ECDHE
- RSA has no forward secrecy
- DHE is slow
- ECDHE is your friend
(security and performance are influenced by
named curve)
Key Exchange
85. @thisNatasha@thisNatasha
Performance Hits: size, must be
validated, revocation checked
Certificates
Only include needed certs
Make sure a complete chain can be
created
Use ECDSA certs (1kb shorter than
RSA)
Don’t use too many hostnames on
the same cert
87. @thisNatasha@thisNatasha
Get your revocation info out quick,
select a fast CA,
and use OSCP stapling
Revocation
Checking
CRL: Certificate Revocation Lists
OSCP: Online Cert Status Protocol
Browsers CRLs download can be 10secs
OSCP certificate lookup in 1 request
Use CAs with fast and reliable OCSP
responders
Use CAs which update their
responders quickly
OSCP Stapling (450 bytes on
handshake)
88. @thisNatasha@thisNatasha
Full handshake will happen once,
rest will be abbreviated
Session
Resumption
Server admin could:
Configure session caching so
sessions remain valid for a day
Clients do the rest!
98. @thisNatasha@thisNatasha
TCP packets may arrive out-of-order
Need to be buffered!
Buffering Latency
Extra time:
- Buffering
- TCP Recovery (extra RTT)
- Overflowing initcwnd
TLS Tuning (experiment!):
- turn TLS record size down (16kb)
- 4kb
Better to leave to the web servers:
- Discover MTU
- They vary record size over
connection lifetime
99. @thisNatasha@thisNatasha
Inequality between client and server
CPU time can be used to DoS
(but more are moving to ECDHE_RSA or
ECDHE_ECDSA)
CPU time
inequality
RSA can be used to DoS
(still uses RSA for auth)
With ECDHE_ECDSA clients will then
do 1.5 times more work
101. @thisNatasha@thisNatasha
In the Past
- CPUs were slow
- TLS (SSL) was heavy
- Hardware Accelerators and
Certs were expensive
Now
- Clients and Servers have fast
processors, plenty of RAM
- Hardware accelerators not needed
- Certificates are cheap
- Latency is most of the issue.
111. @thisNatasha@thisNatasha
or/ Session Resumption
TLS 1.3 Abbreviated
handshake
Identifiers and Tickets are
obsolete!
Replaces with PSK
(pre-shared key mode)
PSK created on previous connection
after the handshake
PSK then presented on next visit!
119. @thisNatasha@thisNatasha
Some Caveats
0-RTT Security
No server random means replay
attacks still possible
1 RTT needed to get ephemeral
secret, so this has no Forward
Secrecy
MITM could tamper with 0-RTT data
if key is compromised
122. @thisNatasha@thisNatasha
Old Certificate way
Issuance and Identity
Verification
- Generate a Certificate Signing
Request (CSR).
- ⌘C⌘V CSR into a CA webpage
- Prove domain ownership by:
- Put a CA-provided challenge on
the web server.
- Put a CA-provided challenge at
a DNS location (target domain)
- Receive CA challenge via
e-mail corresponding to the
domain and respond
- Download the certificate and
install
127. @thisNatasha@thisNatasha
Domain Validation
Used to be done by email...
Agent creates new key pair
Proves to CA it has access to server
CA asks domain to complete “challenges”:
- Agent creates a file on server
- CA provides a nonce
- Agent signs nonce with private key
- Agent tells CA it’s ready to complete
validation
128. @thisNatasha
Certificate Issuance and Revocation
- Thank-you public key crypto!
Issue Certificate
- Agent asks CA to issue a cert with a
public key
- Agent also authorises by signing with
authorised key
- CA verifies both signatures
- CA issues cert with public key from CSR
CSR: PKCS#10 Certificate Signing Request
Revoke Certificate
- Agent signs revocation request with key
pair
- CA verifies authorisation
- CA publishes to CRL, OCSP
- Browsers learn they shouldn’t accept
cert
CRL, OCSP
137. @thisNatasha
Extra Credit: Multiple sites on one cert.
Ivan Ristic Says:
There’s a trick you can use if you want to keep handshake size down to a minimum but still have to host
multiple sites on the same IP address: (1) get a separate certificate for each hostname you wish to run and
configure your web server to serve these certificates to the clients that support SNI; (2) get one fallback
certificate that contains all the hostnames you have on the same IP address and configure your web server to
serve it to the clients that do not support SNI. If you do this, your SNI clients (the majority) will get
small certificates for the sites they wish to access, and everyone else (a small number of legacy clients)
will get the single long certificate.
138. @thisNatasha
Security of RTT Handshakes
At first glance, 0-RTT mode seems similar to session resumption or PSK, and you might wonder why one wouldn’t merge these mechanisms. The
differences however are subtle but important, and the security properties of 0-RTT handshakes are weaker than those for other kinds of TLS
data:
1. To protect against replay attacks the server must incorporate a server random into the master secret. That is unfortunately not possible
before the first round-trip and so the poor server can’t easily tell whether it’s a valid request or an attacker replaying a recorded conversation.
Replay protection will be in place again after the ServerHello message is sent.
2. The semi-static DH share given in the server configuration, used to derive the static secret and encrypt first flight data, defies forward
secrecy. We need at least one round-trip to establish the ephemeral secret. As configurations are shared between clients, and recovering the
server’s DH share becomes more attractive, expiration dates should be limited sensibly. The maximum allowed validity is 7 days.
3. If the server’s DH share is compromised a MITM can tamper with the 0-RTT data sent by the client, without being detected. This does not
extend to the full session as the client can retrospectively authenticate the server via the remaining handshake messages.
From
https://timtaubert.de/blog/2015/11/more-privacy-less-latency
-improved-handshakes-in-tls-13/
139. @thisNatasha
Content
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key Exchange
Authentication Algorithm Strength Mode
Cipher MAC or PRF
Encryption Algorithm
Encryption Key Size (Strength)
Encryption Cipher Mode
3DES, AES, ARIA,
CAMELLIA, RC4, and
SEED.
Encryption: stream Plaintext + MAC
Encryption: block (encryption uses CBC
block mode)
Plaintext + MAC +
padding (encrypt) IV
(leave plain)
Encryption: authenticated (AEAD) Plaintext, seq number,
record header
(encrypt) Nonce
(leave plain)
CipherCheatSheet application protocol and the three
Handshake sub-protocols: the
Handshake Protocol, the Change
Cipher Spec Protocol, and the Alert
Protocol
Record Protocol