Lecture 17 : TLS
NIT - 6.893 fall 2020 Henry Corrigan - Gibbs Plan
-
- Recap : Arts & CT - Privacy issues and TLS Logistics
""""
- Feel free to come to OH or email me to ask resents about apps for
-
other class . ÷÷÷:÷÷÷÷÷÷÷÷Cor post Qs theca: Public - key Infrastructure & CT
To to mit.edu 's server I encrypt messages , need but where do I this ? pkmtt , get
: A Public - key infrastructure
$$$ , < lawyers ' . ! me . ] . i Idea - . cent pkmit Dig (skmit) - S (ska : g )
( Digi O " Hello ' Imitation: . ."÷ :/ . ,
DATA /
- magicc. ------→
" " " Client runs - mit.edu Verify (pkmit, , pkmit , Digi )
- Runs other cheeks
- Accepts if all pass . (This is simplified ? Many layers of CAs) PEM : CAs Points failure Many , Many Single of
0 *
- Pk . - - Pkdigi PK Hongkong , Pk , Turkey , Germany , [ look at the list CAs that If you of your be browser trusts . , you'll surprised
In the old ⇐ of these days , compromising any CAs would have to mint given you ability certs for any domain . ↳ Middle box vendors abused this Recap: Trotters 1 . Public-key Pinning static Dynamic " pkmt and remember if I Iq § ] philter PKTor
Pk Google Pk FB
→
hard to . Fallen out . Brittle use of favor ,
2 . Certificate Transparency Distributed tog CA
- :D ' pair:c: is : DD .edu I hash Mit ] log
" : CA ? Goal If goes rogue eventually
someone should notice.
: who runs the ? Challenges " logs " Do ? you fail open Privacy and TLS
* PKI is all about getting the key what ? public . then for you counterparty . .
* . TLS . . the most - common HTTPS SMPPS . . encryption layer ( , , ) : SSH . . - . others IPsec . . , ,
j¥ Its ¥ I ,
* Also one the most tools , of powerful for protecting against network surveillance .
↳ " it to read wire Makes difficult data on .
* TLS 1.3 addresses large classes of prior vulnerability ↳ we hope that there will be fewer protocol buys
this time around . TLS 1.3 (Based on Eric Reseda's notes ] SIMPKIFIED ?
CLIENT SERVER
client Hello : random , grchent ,
Server Hello : random , graver <
Art , Tianshan finished { , } < Check Cert , check Srg over handshake i data 5 App App data encrypted using keg Finished derived from > hash of data App g transcript . Caveats to TLS Privacy
- DNS leaks which sites you're visiting
. all to various servers . . DNS . unencrypted
DNS resolver ? [email protected] > IP is 104.77. D < 234.213$'
Snoopy wifi route or MITM can see this .
: Recent innovation DNS over HTTPS ( enabled default in Ff) " by " Dolt and Chrono
Cloud#are Cloudflare still sees HTTPS pipe you DNS but no mites queries,
] . ! One thy cIPofmit.fr ) else does
→ :* Lots . Drs convenient of controversy was a place for and to limonite govt companies filter web browsing . ↳ see : Uk
: Worries about to STILL leakage Dolt resolver . we the DNS Suppose fix problem . . .
- TLS still does not hide which site = you're IP
to . . even Connecting . if many sites behind sane
? , why If a single machine IIP host 100 which websites the server needs to know , certificate to send client " "
Server name . . SNI ( indication - ) client Shared Host " " Hello leg. Github , mit.edu pages) + s N a pkmi.t.edu i ①
.
in ⇒ an internet the owner If you're cafe, of the wifi router can see hostname - not
only IP addresses . ( Also sent - 1.3) , pkmit unencrypted pre
TLS 1.3 : " Server Cert is sent encrypted (protects against eavesdropper)
-
to . - SNI - Option encrypt more complicated Problems with versions of TLS 1.3) prior (pre
+ SSLITLS enabled online commerce .
- Lots of security issues
↳ : One meta - problem Protocol designed first
. - TLS and analyzed second . fixed w/ 1.3
. Examples of security problems . .
Suppovtfaroldciphorg Modern cipher modes of operation provide authenticity & confidentiality ↳ See Boneh - book
" Shoup" A-EAD mode
Old version of TLS non - DEAD supported mate?'µyp . RSA " Also old versions of - oracle signatures padding " attacks Also ciphers w/ 64 - bit blocker
TLS 1.3 : DEAD fever suites Only , many cipher , esoteric eliminates . custom many option leg EDH groups) . - backer . (Bleicher , Diggin: Example Padding - Oracle Attack
RSA encryption w/ PKG#I vts padding
- N - e 3 public key pig , exponent
"
Endy m c- 10,1338 ){ ,
- random . ← non zero stuff m C µ 00/021 100 / In
' C- output µ In 3
Dec ( pm d- C- En) f ,
' " 3 m ← d- e En
' :
. . . . - FAIL if u 1=10×00,0×02, f
else output low - order bytes }
⇒ By choosing random r←^ In and 's asking for of Ct Pct c- En the decryption , recover all m attacker can of . often → Attack works even if server tries to hide whether failure occurred ( timing site - channels) " " Competency ( CRIME )
TLS like ( most emo schemes) makes no attempt to ? hide .. What message 4th could go wrong
" " GZIP( secret Hoo ) " " GZIP ( secret 11 11 ) i i ↳ Can recover sensitive authentication cookies ete . ,
TLS 1.3 : No more certain heads compression , except for ↳ still to possible get wormy
Attack ( Ray & Disperse) Renegotiationt to Allows a MITM attacker append traffic on encrypted session b/w client & server. Attacker Bank S S
la . c D Client thinks she's request 's to serve attacker . . . actually sending ↳ - Super subtle & clever . Many variants
" " → to 's Very bad . . . Send $ attacker usaid
Protocol tweaks to to eliminate this TLS 1.3 : try
sort of confusion . No " forward " e-secrecy
Old school key exchange
K) Endpkrsob, ① , O t t ^ with K Alice msgs encrypted Bob #
: Problem Attacker- who can read all traffic t steal all Sk Bob can decrypt past traffic .
! . . Example EDH key exchange (simplified ) . DDA Group G
① sample rp " Samplers Iq g c. G of & , , Alice Bob " G % < 5 don't , , Why nptdHgs { Ephemeral RSA ?
& Bob can delete r as Alice secrets ra , , rotate soon as key exchange is done . Can keys on every connection . ↳ Breach doesn't affect past connections ↳ Still vulnerable to total break of cryptosystem ( etc) ECDKG , : TLS 1.3 No RSA key exchange . Only ephemeral DH - 9 Also controversial ? * - TLS is ore of the most important privacy we tools have . preserving
* TLS 1.3 the removes many of problematic features of earlier versions of SSVTLS
* Still metadata is a serious , leakage
. - privacy threat -
. . . NEXT TIME O