- The document discusses cryptography concepts like symmetric and asymmetric encryption, hashing, and digital signatures. It uses an example of Alice communicating securely with Bob to illustrate these concepts and how threats like eavesdropping and message tampering can be countered. - It then explains how Transport Layer Security (TLS) incorporates all these countermeasures to provide confidentiality, integrity, authentication for network communication, most commonly used to secure HTTPS connections on the web. - Some current issues with TLS are discussed like attacks that have been found and problems with certificate authorities, but overall it remains very important for network security. Users and developers are encouraged to properly configure and use TLS.

1. Alice & Bob
Love & the most important crypto on the net
Chris Hammond-Thrasher
chris.hammond-thrasher<at> ca.fujitsu.com
Twitter: <at> thrashor
Fujitsu Human Centric Security
22 October 2016
1Fujitsu Edmonton Security Lab

2. Agenda
• Meet Alice & Bob
• Alice using the most important crypto on the net
• How you can protect yourself
2Fujitsu Human Centric

3. First Some Terms
• Cryptology
• Cryptography
• Encryption
• Steganography
• Threat
• Countermeasure
Fujitsu Human Centric Security 3

4. Meet Alice & Bob
(& Eve)
4Fujitsu Human Centric Security

5. Fujitsu Human Centric Security 5
http://www.xkcd.com/

6. Threat:
Eavesdropping
Fujitsu Human Centric Security 6
Alice Bob
Eve
I love
you

7. Countermeasure:
Symmetric encryption
Fujitsu Human Centric Security 7
Alice Bob
Eve
Aa2iD
kh98u
Secret
key
I love you
Algorithm
(i.e. AES)
+
Secret
key
Aa2iD
kh98u
+ = I love you
Aa2iD
kh98u
=

8. Countermeasure:
Symmetric encryption
Fujitsu Human Centric Security 8

9. Threat:
Key interception
Fujitsu Human Centric Security 9
Alice Bob
Eve
Secret
key
Algorithm
(i.e. AES)
Secret
key
Aa2iD
kh98u
+ = I love you

10. Countermeasure:
Asymmetric encryption
Fujitsu Human Centric Security 10
Alice Bob
Eve
88zyq
t46R3
Bob’s
public key
Secret
key
Algorithm
(i.e. RSA)
+
Bob’s
private
key
88zyq
t46R3
+88zyq
t46R3
= Secret
key
=
Bob’s
public key

11. Countermeasure:
Asymmetric encryption
Fujitsu Human Centric Security 11
Algorithm: Diffie-Hellman
Math: Elliptic curves,
discrete logarithms,
modular arithmetic
Algorithm: RSA
Math: Factoring large prime numbers

12. Threat:
Message integrity
Fujitsu Human Centric Security 12
Alice Bob
Eve
I love you
I hate
you

13. Countermeasure:
Message digests
Fujitsu Human Centric Security 13
Alice Bob
EveI love you
I hate
you
I love you
Algorithm
(i.e. SHA-1)
I hate
you
=
3p8sf9JeGzr6
0+h
aC9F9mxANt
LM
L9ThxnotKPzt
hJ
7hu3bnORuT
6xI
=
L9ThxnotKPzt
hJ
7hu3bnORuT
6xI
L9ThxnotKPzt
hJ
7hu3bnORuT
6xI
X
X

14. Countermeasure:
Message digests
• Also known as:
– Hashes
– Cryptographic hashes
– Checksums
– One way functions
• Take an arbitrarily long input and produce a fixed length output
Fujitsu Human Centric Security 14

15. Threat:
Endpoint impersonation
Fujitsu Human Centric Security 15
Alice Eve
(impersonating Bob)
I love you
Algorithm
(i.e. AES)
Secret
key
Aa2iD
kh98u
+ = I love you

16. Countermeasure:
Endpoint validation
Fujitsu Human Centric Security 16
Alice Eve
(impersonating Bob)
I love you
Certificate
(bob.ca)
Public key
(bob.ca)X

17. What is TLS?
HTTPS = HTTP + TLS
TLS = Transport Layer Security = SSL = Secure Sockets Layer
History
• SSL 2.0 (1995) [Netscape Corporation]
• SSL 3.0 (1996) [Netscape Corporation]
• TLS 1.0 = IETF RFC 2246 (1999)
• TLS 1.1 = IETF RFC 4346 (2006)
• TLS 1.2 = IETF RFC 5246 (2008)
• TLS 1.3 (in draft)
17Fujitsu Human Centric Security
{almost}

18. What does TLS do?
• It is most famously used in secure browser connections
• TLS has every countermeasure that Alice and Bob just used plus
more
• Provides transport layer security for any TCP or UDP communication,
including:
– Confidentiality
– Message integrity
– Endpoint validation
– Perfect forward secrecy
18Fujitsu Human Centric Security

19. Confidentiality in TLS 1.2
• Asymmetric encryption for key agreement
– Key exchange methods: RSA, DHE_RSA, DH_RSA, RSA_PSK,
ECDH_RSA, ECDHE_RSA, DHE_DSS, DH_DSS, ECDH_ECDSA,
ECDHE_ECDSA
• Symmetric encryption for messages
– TLS_RSA_WITH_AES_128_CBC_SHA is mandatory in TLS 1.2
– Other commonly supported symmetric encryption methods:
AES_256, RC4_128, 3DES
Fujitsu Human Centric Security 19

20. Message integrity in TLS 1.2
• Signatures (in certificates)
– DSS/DSA, RSA
• HMACs
– Using digest algorithms: MD5, SHA-1, SHA-2
Fujitsu Human Centric Security 20

21. End-point validation in TLS 1.2
• Certificates
– X.509 certificates (a signed public key)
– Certificate types: rsa_sign, dss_sign, ecdsa_sign, rsa_fixed_dh,
dss_fixed_dh, rsa_fixed_ecdh, ecdsa_fixed_ecdh
• Signatures
– DSS/DSA, RSA
Fujitsu Human Centric Security 21

22. Current issues with TLS
• The Internet Engineering Task Force (IETF) has published a list of
known attacks against TLS in RFC 7457
• Certificate Authority (CA) shenanigans
– Symantec increases Blue Coat’s snooping powers: http://motherboard.vice.com/read/a-controversial-
surveillance-firm-was-granted-a-powerful-encryption-certifica
– WOSIGN cuts corners & gets blocked by Mozilla and Apple:
http://www.pcworld.com/article/3129725/certificate-policy-violations-force-reform-at-startcom-and-
wosign.html
– COMODO messes up but claims they are not the only one: https://threatpost.com/comodo-issues-
eight-forbidden-certificates/115311/
Fujitsu Human Centric Security 22

23. The elephant in the room?
Fujitsu Human Centric Security 23
Creative Commons Licensed http://www.flickr.com/photos/bitboy/

24. Users can override cert problems
• Users have been trained to ignore certificate warnings!
Fujitsu Human Centric Security 24

25. Learn more
• Read Eric Rescorla’s book
http://www.amazon.ca/SSL-TLS-Designing-Building-Systems/dp/0201615983/ref=sr_1_2?ie=UTF8&qid=1314062737&sr=8-2
• Read the spec
http://tools.ietf.org/html/rfc5246
25Fujitsu Human Centric Security

26. Use your knowledge
• Developers and Server Admins
– Disable SSL 3 support
– Replace old SHA-1 certificates with 256-bit SHA-2 (aka SHA-256)
certificates
– Make sure your TLS code uses a good list of cipher suites – don’t rely on
the defaults!
– Make sure your code checks Certificates for validity, expiration, and
revocation
– Do not use self-signed certs without a good reason and beware of bargain
Certificate Authorities
– When coding web services, both the server and the client ought to present
valid certificates
26Fujitsu Human Centric Security

27. Use your knowledge
• Browser users
– Heed certificate warnings
– Learn how to interpret certificate warnings
– Be aware of the risks if you ignore a certificate warning
– If you are geeky enough, disable SSL 3 in your browsers
27Fujitsu Human Centric Security

28. Fujitsu Edmonton Security Lab 28
Thank you!
Want more presentations like this?
Is there a particular security tool or hack that you would like to see demoed?
Is there a security technology that you always wanted explained, but not in a boring way?
Chris Hammond-Thrasher
Fujitsu Human Centric Security
Email: chris.hammond-thrasher <at> ca.fujitsu.com
Twitter: <at> thrashor

29. Fujitsu Human Centric Security 29
Source: ?