Was first presented at rannts#16 meetup: https://rannts.ru/meetups/16/

1. Podmokov E.V.
Go to TLS:
information security
specialist's
view
1

2. Agenda
• History
• What’s it ?
• Two levels of TLS
• Security
• TLS 1.3
2

3. History
SSL 1.0-3.0 (…-1996)
TLS 1.0 or SSL 3.1 (1999)
TLS 1.1 (2006)
TLS 1.2 (2008)
TLS 1.3 (2017!?)
tlswg.github.io/tls13-spec
3

4. The Transport Layer Security protocol aims primarily to provide privacy and
data integrity between two communicating computer applications.
The connection is private (or secure) because symmetric cryptography is
used to encrypt the data transmitted. The keys for this symmetric encryption
are generated uniquely for each connection and are based on a shared secret
negotiated at the start of the session (see TLS handshake protocol). The server
and client negotiate the details of which encryption algorithm and
cryptographic keys to use before the first byte of data is transmitted (see
Algorithm below). The negotiation of a shared secret is both secure (the
negotiated secret is unavailable to eavesdroppers and cannot be obtained,
even by an attacker who places themselves in the middle of the connection)
and reliable (no attacker can modify the communications during the
negotiation without being detected).
The identity of the communicating parties can be authenticated using public-
key cryptography. This authentication can be made optional, but is generally
required for at least one of the parties (typically the server).
The connection ensures integrity because each message transmitted
includes a message integrity check using a message authentication code to
prevent undetected loss or alteration of the data during transmission.
What’s it ?
4

5. What’s it ?
App
Presentation
Session
Phy
Transport
Network
Data Link
TLS Higher handshake layer
Lower recording layer
5

6. Recording
6

7. Handshake
Client Server
7

8. Reconnection
Client Server
8

9. Client Server
False Start
9

10. Other
• ChangeCipherSpec
• Alert
• Application Data
10

11. Certificate Authority
@babayota_kun: habrahabr.ru/post/258285
Chain of trust
Certificate Revocation List
OCSP
11

12. TLS with ГОСТ
• ГОСТ Р 34.10-2012 (RFC 7091)
electronic digital signature
• ГОСТ Р 34.11-2012 (RFC 6986) hash
tc26.ru 12

13. BEAST TLS 1.0
Browser Exploit Against SSL/TLS
Main algo with CBC
Ci = E(Key, Mi xor Ci-1)
If all msg is equal
M1 = Ci-1 xor IV xor P
C1 = E(Key, M1 xor IV) =
= E(Key, (Ci-1 xor IV xor P) xor IV) =
= E(Key, (Ci-1 xor P)) == Сi
13

14. BEAST TLS 1.0
msg segmentation to blocks
[login: *][*******] [*******] …
14

15. CRIME TLS 1.0-1.1
nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/
details-on-the-crime-attack/ 15

16. BREACH
blackhat.com/us-13/briefings.html#Prado
MS Outlook WEB Access
GET /owa/?ae=Item&t=IPM.Note&a=New&id=
canary=<guess>
<span
id=requestUrl>https://malbot.net:443/owa/forms/
basic/BasicEditMessage.aspx?ae=Item&amp;t=IPM.Note
&amp;a=New&amp;id=canary=<guess>
</span>
...
<td nowrap id="tdErrLgf"><a
href="logoff.owa?canary=d634cda866f14c73ac135ae85
8c0d894">LogOff</a></td>
Token CSRF
16

17. Lucky-13 TLS 1.0-1.2
Padding-oracle based
cryptopro.ru/blog/2013/02/19/kriptopro-tls-protiv-schastlivogo-chisla-13 17

18. Heartbleed
• OpenSSL CVE-2014-0160
18

19. 19

20. 20

21. 21

22. Others
FREAK & Logjam
POODLE (Padding Oracle On Downgraded
Legacy Encryption) - MITM
Sweet32
DROWN (Decrypting RSA with Obsolete and
Weakened eNcryption)
THC-SSL-DOS
….
22

23. TLS 1.3
• Not compatible to 1.2
• New handshake
• 0-RTT (round-trip time)
• metadata
23

24. Links
• TLS 1.3 tlswg.github.io/tls13-spec
• TLS details tls.dxdt.ru/tls.html
• DEV literature
blog.cloudflare.com/introducing-tls-1-3
• Network
blog.fourthbit.com/2014/12/23/traffic-
analysis-of-an-ssl-slash-tls-session
24