Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Data in Transit -

1,112 views

Published on

  • Be the first to comment

Securing Data in Transit -

  1. 1. SECURING DATA IN TRANSIT Using TLS in Constrained Devices Copyright 2015 wolfSSL Inc.1
  2. 2. Session Presenters Copyright 2015 wolfSSL Inc.2 Chris Conlon wolfSSL Inc. chris@wolfssl.com Jacob Barthelmeh wolfSSL Inc. jacob@wolfssl.com
  3. 3. What We’re Covering Today 1. Introduction and History of wolfSSL (5 min) 2. Overview of SSL/TLS, and Crypto (15 min) 3. TLS Enabling a Simple HTTP Client (10 min) 4. Emerging Ciphers and Algorithms (10 min) 5. Time-Permitting Q & A (5 min) Copyright 2015 wolfSSL Inc.3
  4. 4. wolfSSL Inc History, Introduction, and Products 4 Copyright 2015 wolfSSL Inc.
  5. 5. wolfSSL History Copyright 2015 wolfSSL Inc.5
  6. 6. About wolfSSL Founded: 2004 Locations: Bozeman, MT Seattle, WA Portland, OR Our Focus: Open Source Embedded Security (Apps, Devices, IoT, and Cloud) Copyright 2015 wolfSSL Inc.6 Products: - wolfSSL - wolfSSL FIPS - wolfCrypt - wolfSSH - wolfSCEP - wolfSSL Inspection - yaSSL
  7. 7. One Billion Endpoints! Copyright 2015 wolfSSL Inc.7 Factory Automation Automotive / Smart Car Smart Grid Cloud Services Routers Databases Connected Home SensorsBattlefield Communication Smart Energy Machine-to-Machine Games Appliances Internet of Things Mobile / Smartphones
  8. 8. Strategic Partnerships Copyright 2015 wolfSSL Inc.8
  9. 9. History and Goals SSL / TLS 9 Copyright 2015 wolfSSL Inc.
  10. 10. SSL/TLS - History and Protocols ● SSL / TLS / DTLS versions Copyright 2015 wolfSSL Inc.10 Notes: ● SSL 2.0 is insecure ● SSL = “Secure Sockets Layer” ● TLS = “Transport Layer Security” ● DTLS = “Datagram TLS”
  11. 11. SSL/TLS - Goals ● Enable secure CLIENT / SERVER communication Privacy + Prevent eavesdropping Authentication + Prevent impersonation Integrity + Prevent modification Copyright 2015 wolfSSL Inc.11
  12. 12. SSL/TLS - Simplified Analogy Copyright 2015 wolfSSL Inc.12 Goals: A. Talk to the desired person B. Talk privately (securely) Alice Bob ? ?
  13. 13. SSL/TLS - Simplified Analogy Copyright 2015 wolfSSL Inc.13 Goals: A. Talk to the desired person B. Talk privately (securely) Alice Bob
  14. 14. SSL/TLS - Simplified Analogy Copyright 2015 wolfSSL Inc.14 Goals: A. Talk to the desired person B. Talk privately (securely) Alice Bob
  15. 15. SSL/TLS - Simplified Analogy ● Goals: ○ Talk to the desired peer ■ X.509 certificates (RSA, ECC) ○ Talk privately (securely) ■ Encryption, Integrity checks Copyright 2015 wolfSSL Inc.15
  16. 16. MITM Attacks ● Man in the Middle Attacks ● One of the most prominent attacks TLS tries to prevent Copyright 2015 wolfSSL Inc.16
  17. 17. RFC and Protocols SSL / TLS 17 Copyright 2015 wolfSSL Inc.
  18. 18. TLS - Protocol Specs ● Protocol Specifications ○ RFC 6101: SSL 3.0 ○ RFC 2246: TLS 1.0 ○ RFC 4346: TLS 1.1 ○ RFC 5246: TLS 1.2 ○ “Draft”: TLS 1.3 Copyright 2015 wolfSSL Inc.18
  19. 19. TLS - Protocols and Location Copyright 2015 wolfSSL Inc.19
  20. 20. TLS - Sub Protocols Handshake Protocol ● Responsible for negotiating a session, includes: ○ Session identifier ○ Peer certificate ○ Compression method ○ Cipher spec ○ Master secret ○ “is resumable” Copyright 2015 wolfSSL Inc.20 1 2 3 4(A) (B)
  21. 21. TLS - Sub Protocols Copyright 2015 wolfSSL Inc.21 1 2 3 4(A) (B)
  22. 22. TLS - Sub Protocols Change Cipher Spec Protocol ● Signals transitions in ciphering strategies ● Sent by both client and server ● Notifies receiving party that subsequent records will be protected under newly negotiated CipherSpec and keys Copyright 2015 wolfSSL Inc.22 1 2 3 4(A) (B)
  23. 23. TLS - Sub Protocols Alert Protocol ● Convey severity and description of alert ● Either “warning” or “fatal” ● Fatal results in immediate termination of connection ● Encrypted and compressed as per CipherSpec Copyright 2015 wolfSSL Inc.23 1 2 3 4(A) (B)
  24. 24. TLS - Sub Protocols Record Protocol ● Layered protocol (Sending Side) ○ Fragments input data into blocks ○ (optionally) compresses data ○ Applies MAC ○ Encrypts ○ Transmits the result Copyright 2015 wolfSSL Inc.24 1 2 3 4(A) (B)
  25. 25. TLS - Sub Protocols Record Protocol ● Layered protocol (Receiving Side) ○ Decrypts received data ○ Verifies data (using MAC) ○ Decompresses ○ Reassembles ○ Delivers result to higher level Copyright 2015 wolfSSL Inc.25 1 2 3 4(A) (B)
  26. 26. Cipher Suites SSL / TLS 26 Copyright 2015 wolfSSL Inc.
  27. 27. Cipher Suites: Structure ● Combination of algorithms: Hash Functions: MD5, SHA-1, SHA-256, .. Block and Stream Ciphers: AES, 3DES, ChaCha20, ... Public Key Algorithms: RSA, ECC, NTRU, ... Copyright 2015 wolfSSL Inc.27 CIPHER SUITE
  28. 28. Cipher Suites: Structure Protocol_keyexchange_WITH_bulkencryption_mode_messageauth Copyright 2015 wolfSSL Inc.28 Examples: SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  29. 29. X.509 Certs and Keys SSL / TLS 29 Copyright 2015 wolfSSL Inc.
  30. 30. Making Sense of X.509 ● X.509 is a standard for PKI (public key infrastructure) ● Some things specified by it include: ○ Public key certificates ○ Certificate revocation lists ○ Certificate path validation algorithm (CA / cert chain structure) ● Structure is expressed in ASN.1 syntax Copyright 2015 wolfSSL Inc.30
  31. 31. X.509v3 Certificates Structure of X.509v3 certificate is as follows: ● Certificate ○ Version ○ Serial Number ○ Algorithm ID ○ Issuer ○ Validity ■ Not Before ■ Not After ○ Subject ○ Subject Public Key Info ■ Public Key Algorithm ■ Subject Public Key ○ Issuer Unique Identifier (optional) ○ Subject Unique Identifier (optional) ○ Extensions (optional) ■ … ○ Certificate Signature Algorithm ○ Certificate Signature Copyright 2015 wolfSSL Inc.31
  32. 32. X.509v3 Certificates ● Filename Extensions ○ .pem ■ “Privacy-enhanced Electronic Mail” ■ Base64-encoded DER certificate ○ .der, .cer, .crt ■ Binary DER form ● Others include ○ .p7b, .p7c (PKCS#7) – standard for signing/encrypting data ○ .p12 (PKCS#12) – bundle certs and private keys ○ .pfx (predecessor to .p12) Copyright 2015 wolfSSL Inc.32 -----BEGIN CERTIFICATE----- … … -----END CERTIFICATE-----
  33. 33. Certificate Chain ● A list of certificates followed by one or more CA certificates, where: ○ The Issuer of each certificate matches the Subject of the next ○ Each cert is signed by the private key of the following cert ○ The last cert in the chain (although not sent in the SSL/TLS handshake) is the “root CA” Copyright 2015 wolfSSL Inc.33
  34. 34. Certificate Chain Copyright 2015 wolfSSL Inc.34
  35. 35. SSL / TLS on Devices Securing a simple HTTP client with TLS 35 Copyright 2015 wolfSSL Inc.
  36. 36. wolfSSL Library Features ● C-language based SSL/TLS library ● Standards up to TLS 1.2 and DTLS 1.2 ● Focused on size and speed optimization, progressive ● Minimum footprint size of 20-100 kB ● Minimum RAM usage: 1-36kB ● Web server integration (NGINX, Lighttpd, Mongoose, GoAhead) ● OpenSSL Compatibility Layer ● Hardware Crypto Support ● Suite-B Compatible, FIPS 140-2 (Level 1) in process ● Dual Licensed (GPLv2 and Commercial) Copyright 2015 wolfSSL Inc.36
  37. 37. wolfSSL + FRDM-K64F Using wolfSSL in a Simple Embedded Client App 37 Copyright 2015 wolfSSL Inc.
  38. 38. wolfSSL + FRDM-K64F ● Why are we using FRDM-K64F? ○ Simplicity, relevance ● Could as easily use any number of embedded platforms: ○ Microchip PIC32MX/MZ ○ STMicro STM32F2/F4/F7 ○ Freescale Kinetis, Coldfire ○ ... Copyright 2015 wolfSSL Inc.38
  39. 39. wolfSSL + FRDM-K64F ● wolfSSL is available for download from wolfssl.com: ● And also from GitHub: Copyright 2015 wolfSSL Inc.39
  40. 40. wolfSSL + FRDM-K64F ● Or might already be in your IDE! ○ Keil MDK-ARM “Software Pack” ○ Microchip MPLAB Harmony ○ Freescale MQX-SSL Copyright 2015 wolfSSL Inc.40
  41. 41. wolfSSL + FRDM-K64F ● wolfSSL has tight integration for Freescale platforms (among others) ○ FREESCALE_MQX - MQX operating system ○ FREESCALE_MMCAU - mmCAU HW crypto ○ FREESCALE_K70_RNGA - K70 HW RNG ○ FREESCALE_K53_RNGB - K53 HW RNG Copyright 2015 wolfSSL Inc.41
  42. 42. wolfSSL + FRDM-K64F ● This platform is being used currently for a new product! Smart Door Lock Product ● Door Lock = Freescale FRDM-K64F ● Home Gateway = Freescale i.MX6 ● Security = wolfSSL Copyright 2015 wolfSSL Inc.42
  43. 43. wolfSSL + FRDM-K64F ● Drop wolfSSL into an Existing Project Copyright 2015 wolfSSL Inc.43
  44. 44. wolfSSL + FRDM-K64F ● wolfSSL / wolfCrypt Code Structure Copyright 2015 wolfSSL Inc.44
  45. 45. wolfSSL + FRDM-K64F ● Configuring the SSL/TLS library ○ Configuring wolfSSL (user_settings.h) ○ Project Properties -> Compiler -> Preprocessor ○ Add WOLFSSL_USER_SETTINGS ○ This file contains wolfSSL-specific configuration defines ○ Based on wolfSSL’s main settings.h file Copyright 2015 wolfSSL Inc.45
  46. 46. wolfSSL + FRDM-K64F ● Include wolfSSL header file in main.c ● Initialize wolfSSL library ● Optionally, enable debug output (also define DEBUG_WOLFSSL) Copyright 2015 wolfSSL Inc.46 #include “wolfssl/ssl.h” /* initialize wolfSSL library */ wolfSSL_Init(); /* enable wolfSSL debug output */ wolfSSL_Debugging_ON();
  47. 47. wolfSSL + FRDM-K64F ● Create wolfSSL context (ex: using TLS 1.2) ● Enable (or set) peer verification ● Load trusted root CA certificate, from DER-formatted buffer Copyright 2015 wolfSSL Inc.47 WOLFSSL_CTX* ctx; ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); /* turn on peer verification, register verify callback */ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); int ret; ret = wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_der_2048, sizeof(ca_cert_der_2048), SSL_FILETYPE_ASN1)
  48. 48. wolfSSL + FRDM-K64F ● After socket has been created and connect()’ed, create wolfSSL session: ● Pass established socket file descriptor to wolfSSL ● Initiate SSL/TLS connection, do handshake with peer Copyright 2015 wolfSSL Inc.48 WOLFSSL* ssl; if ((ssl = wolfSSL_new(ctx)) == NULL) err_sys("wolfSSL_new failed"); wolfSSL_set_fd(ssl, sockfd); ret = wolfSSL_connect(ssl); if (ret != SSL_SUCCESS) err_sys("wolfSSL_connect failed");
  49. 49. wolfSSL + FRDM-K64F ● Write data using: ● And read data using: Copyright 2015 wolfSSL Inc.49 wolfSSL_write(ssl, msg, msgSz); wolfSSL_read(ssl, reply, sizeof(reply));
  50. 50. wolfSSL + FRDM-K64F ● Shutdown SSL/TLS session ● Free resources: Copyright 2015 wolfSSL Inc.50 wolfSSL_shutdown(ssl); wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); wolfSSL_Cleanup();
  51. 51. Peak RAM Usage ● RSA Cipher Suites ● ECC Cipher Suites Copyright 2015 wolfSSL Inc.51 Math Library Key Size Peak Stack Use Peak Heap Use fast 1024 10k 9k fast 2048 13k 11k normal 1024 6k 14k normal 2048 7k 17k Math Library Key Size Peak Stack Use Peak Heap Use fast 256 7k 12k normal 256 6k 15k
  52. 52. wolfSSL + FRDM-K64F It’s as simple as that! (try it yourself and see) Copyright 2015 wolfSSL Inc.52
  53. 53. Emerging Ciphers What’s hot in the crypto world! 53 Copyright 2015 wolfSSL Inc.
  54. 54. Emerging Ciphers ● ChaCha20 ● Poly1305 ● Curve25519 ● Ed25519 Created by Daniel Bernstein a research professor at the University of Illinois, Chicago Chacha20-Poly1305 AEAD used in Google over HTTPS Ed25519 and ChaCha20-Poly1305 AEAD used in Apple’s HomeKit (iOS Security) Copyright 2015 wolfSSL Inc.54
  55. 55. ChaCha20 Info ● Based from Salsa20 stream cipher using a different quarter- round process giving it more diffusion ● Fast stream cipher that also can have block characteristics ● Can be used for AEAD encryption with Poly1305 ● Was published by Bernstein in 2008 Used by ● Google Chrome ● TinySSH ● Apple HomeKit ● wolfSSL Copyright 2015 wolfSSL Inc.55 reference 1
  56. 56. ChaCha20 Quarter Round The heart of ChaCha20 is the quarter round. Operations performed are (note ^ means xor) a += b; d ^= a; d <<<= 16; c += d; b ^= c; b <<<= 12; a += b; d ^= a; d <<<= 8; c += d; b ^= c; b <<<= 7; Where a,b,c, and d are 32 bit unsigned integers. Copyright 2015 wolfSSL Inc.56
  57. 57. ChaCha20 Matrix Data for encryption is arranged into a matrix constant(0) constant(1) constant(2) constant(3) key(4) key(5) key(6) key(7) key(8) key(9) key(10) key(11) input(12) input(13) input(14) input(15) Copyright 2015 wolfSSL Inc.57
  58. 58. ChaCha20 Operation To complete a double round 8 quarter rounds are performed. The first 4 quarter rounds consist of a column round. All data used from the matrix x is in similar columns. The last 4 quarter rounds consist of a diagonal round. All data used in the quarter round from the matrix x is in a diagonal pattern. QUARTERROUND( x0, x4, x8,x12) QUARTERROUND( x1, x5, x9,x13) QUARTERROUND( x2, x6,x10,x14) QUARTERROUND( x3, x7,x11,x15) QUARTERROUND( x0, x5,x10,x15) QUARTERROUND( x1, x6,x11,x12) QUARTERROUND( x2, x7, x8,x13) QUARTERROUND( x3, x4, x9,x14) Copyright 2015 wolfSSL Inc.58 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
  59. 59. ChaCha20 Performance Copyright 2015 wolfSSL Inc.59
  60. 60. Poly1305 Info Why it’s used Extremely fast in comparison to others To provide authentication of messages Introduced by a presentation given from Bernstein in 2002 Naming scheme from using polynomial-evaluation MAC (Message Authentication Code) over a prime field Z/(2^130 - 5) Copyright 2015 wolfSSL Inc.60 reference 2
  61. 61. Poly1305 Performance Copyright 2015 wolfSSL Inc.61
  62. 62. Poly1305 Outline Of Operation Algorithm ● Set an accumulator h to 0 ● Divide the message into chunks c ● h = h + c and then h = rh, where r is part of the key ● Periodically reduce h modulo 2^130 - 5 ● After all chunks ( c ) processed reduce h modulo 2^130 - 5 ● Add key to h Copyright 2015 wolfSSL Inc.62
  63. 63. Curve25519 Used by ● Tor ● Google Chrome ● Apple iOS ● wolfSSL Copyright 2015 wolfSSL Inc.63 reference 3 Generic Montgomery curve. Reference 5
  64. 64. Curve25519 Visualization Copyright 2015 wolfSSL Inc.64
  65. 65. Curve25519 Visualization Copyright 2015 wolfSSL Inc.65
  66. 66. Curve25519 Performance Copyright 2015 wolfSSL Inc.66
  67. 67. Curve25519 Performance Copyright 2015 wolfSSL Inc.67
  68. 68. Ed25519 Used by ● Tera Term ● GnuPG ● wolfSSL Copyright 2015 wolfSSL Inc.68 reference 4 Generic Twisted Edwards Curve. Reference 6
  69. 69. Ed25519 Terms ● A is the public key point ● a is the public key ● H(*) is the Sha512 hash of * ● B is the unique point (x, 4/5) ∈ E for which x is positive ● M is the message ● l is the prime 2^252 + 27742317777372353535851937790883648493 Copyright 2015 wolfSSL Inc.69
  70. 70. Ed25519 Sign / Verify Steps for signature 1. computing r = H(hb, . . . , h2b−1, M) 2. computing R = rB 3. computing S = (r + H(R, A, M)a) mod l Verification SB = R + H(R, A, M)A Copyright 2015 wolfSSL Inc.70
  71. 71. Ed25519 Sign Copyright 2015 wolfSSL Inc.71
  72. 72. Ed25519 Verify Copyright 2015 wolfSSL Inc.72
  73. 73. Ed25519 Fast Single Verify SB = R + H(R, A, M)A is changed to R = SB - H(R, A, M)A Saving having to decompress R Copyright 2015 wolfSSL Inc.73
  74. 74. Ed25519 Performance Copyright 2015 wolfSSL Inc.74
  75. 75. Ed25519 Performance Copyright 2015 wolfSSL Inc.75
  76. 76. References 1. ChaCha20 http://cr.yp.to/chacha/chacha-20080128.pdf 2. Poly1305 http://cr.yp.to/mac/poly1305-20050329.pdf 3. Curve25519 http://cr.yp.to/ecdh/curve25519-20060209.pdf 4. Ed25519 http://ed25519.cr.yp.to/ed25519-20110926.pdf Generic Graph Images of Curves From 5. "Montgomery curve1" by Krishnavedala - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons. wikimedia.org/wiki/File:Montgomery_curve1.svg#/media/File: Montgomery_curve1.svg 6. "Twisted Edwards curve" by Krishnavedala - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons. wikimedia.org/wiki/File:Twisted_Edwards_curve.svg#/media/File: Twisted_Edwards_curve.svg Copyright 2015 wolfSSL Inc.76
  77. 77. THANKS! QUESTIONS? Copyright 2015 wolfSSL Inc.77 WOLFSSL info@wolfssl.com +1 (425) 245 - 8247 CHRIS CONLON chris@wolfssl.com JACOB BARTHELMEH jacob@wolfssl.com
  78. 78. Session Introduction • Abstract • As designers and developers race to pack cool and eye catching features into “Internet of Things” and connected devices, the security of those devices oftentimes takes a back seat. After all, how many times does a manufacturer hear end customers ask: “Is that refrigerator secured with TLS 1.2 or SSL 3.0?”. Security analysts and hackers aside, the answer is, hardly ever. One of the most prominent ways of securing connected devices today is with TLS, or “Transport Layer Security”. This session will start with a basic introduction of TLS, working its way up to a demonstration of how easy it can be to integrate TLS into an existing Internet-connected device. Also included will be considerations on what ciphers, algorithms, and key sizes are preferential for various types of projects, touching on both the enterprise server side as well as the resource constrained device side. The open source wolfSSL SSL/TLS library will be used for demonstration purposes. Copyright 2015 wolfSSL Inc.78
  79. 79. Session Introduction • Key Takeaway • Key takeaways from this session will include an overview of the TLS protocol, considerations when choosing what algorithms, ciphers and key sizes to use, and an understanding of how to add TLS to a new or existing application or device. • Intended Audience • The intended audience of this session is designers and engineers interested in using SSL/TLS to secure their projects or devices. Helpful prerequisites include a general understanding of C programming. Copyright 2015 wolfSSL Inc.79

×