Hands-On Workshop

Session ID: FTF-INS-F1145 June, 2015

HANDS-ON WORKSHOP

Create Secure Network-Connected Embedded Systems with CyaSSL and Kinetis SDK

• Abstract • Secure your data communications with TLS/SSL for embedded systems, now available in an easy-to-use package for Kinetis SDK and MQX™ RTOS. Learn how to enable secure web server connections to browsers and mobile devices as well as web client connections to the cloud. • Presenters • Chris Conlon | wolfSSL Inc. | Software Engineer • Timing • 1 Hour : Presentation (Protocol, technology overview) • 1 Hour : Hands-on Lab with FRDM-K64F

• Gain overview knowledge of SSL / TLS protocols • Learn about TLS and cryptography performance • Gain insight into best practices for using TLS on devices • Learn how to enable secure web server communication, using demos included in the CyaSSL patch for the Kinetis SDK • Learn the advantages to using wolfSSL and CyaSSL on Freescale platforms • Get hands on experience, directly from experts at wolfSSL

1. Introduction and History of wolfSSL 2. Overview of SSL / TLS, and Cryptography 3. X.509 and Certificates 4. Overview of wolfSSL Embedded SSL / TLS 5. Using CyaSSL with Freescale KDS IDE and Kinetis MCUs 6. Using Wireshark to Inspect a TLS Connection 7. Hands On Lab: HTTPS Server Example with CyaSSL, KDS, and FRDM-K64F 8. Additional Tips and Tricks about CyaSSL (Time Permitting)

Founded: 2004 Products: - wolfSSL

- wolfSSL FIPS Location: Bozeman, MT - wolfCrypt Seattle, WA - wolfSSH - wolfSCEP Portland, OR - wolfSSL Inspection - yaSSL Our Focus: Open Source Embedded Security (for Applications, Devices, IoT, and the Cloud)

200 OEM Customers 2011 3 employees 2012 9 employees 10 Resale Partners 2013 11 employees 2014 15 employees Currently Securing 2015 17 employees 1 Billion Connections!

• Advantages to wolfSSL:

• Written from the Ground Up. wolfSSL owns the Copyright • Built for Portability, Modularity, and Performance • Strong, collaborative partnership with Freescale • Commitment to new ciphers, features, and addressing ongoing security threats • Current SSL/TLS/DTLS protocol support up to TLS 1.2 and DTLS 1.2 • Community, User, and Professional vetted since 2006

• Advantages to wolfSSL:

• Dedicated support via [email protected] and direct phone support • Free Presales Support!

GOALS, HISTORY

• SSL / TLS / DTLS versions

1995 SSL 2.0 1996 SSL 3.0 Notes:

• SSL 2.0 is insecure 1999 TLS 1.0 • SSL = “Secure Sockets Layer” 2006 TLS 1.1 DTLS 1.0 • TLS = “Transport Layer Security” 2008 TLS 1.2 • DTLS = “Datagram TLS”

2012 DTLS 1.2

• Enables secure client/server communication

Privacy + Prevent eavesdropping Authentication + Prevent impersonation Integrity + Prevent modification

Goals: A. Talk to the desired person B. Talk privately (securely) ? ?

Alice Bob

Goals: A. Talk to the desired person B. Talk privately (securely)

Drivers Drivers License License

Alice Bob

Goals: A. Talk to the desired person B. Talk privately (securely)

Drivers Drivers License License

Alice Bob

Goals: A. Talk to the desired person B. Talk privately (securely)

Drivers Drivers License License

Alice Bob

Goals: • Talk to the desired peer • X.509 Certificates (RSA, ECC)

• Talk privately (securely) • Encryption, Integrity checks

• Man in the Middle Attacks • One of the most prominent attacks TLS tries to prevent

Device Server

Attacker

TECHNICAL OVERVIEW, RFC’S, HANDSHAKE

Protocol Specifications

• RFC 6101: SSL 3.0 • RFC 2246: TLS 1.0 • RFC 4346: TLS 1.1 • RFC 5246: TLS 1.2 • “Draft”: TLS 1.3

Protocols Secured by SSL/TLS

SSL SSL Change SSL Alert LDAP, Handshake Cipher Spec HTTP Protocol etc. SMTP, Protocol Protocol HTTP etc.

SSL Record Layer Application Layer

TCP Transport Layer

IP Internet Layer

Network Access Network Layer

• Responsible for negotiating a session, includes: 2 • Session identifier • Peer certificate • Compression method 3 • Cipher spec

(A) • Master secret 4 (B) • “is resumable”

Client Server

1 1 Client Hello Cryptographic Info (SSL version, supported ciphers, etc.)

2 3 Server Hello 2 Cipher Suite Verify server cert, Server Certiﬁcate check crypto Server Key Exchange (public key) parameters ( Client Certiﬁcate Request ) Server Hello Done

4 3 Client Key Exchange 5 ( Certiﬁcate Verify ) Verify client cert ( Client Certiﬁcate ) (if required)

6 (A) Change Cipher Spec 4 (B) Client Finished 7 Change Cipher Spec Server Finished

Exchange Messages (Encrypted)

• Client Hello ! 2 • Sent when client first connects to server • Includes • Protocol version 3 • Random structure • Session ID (A) • Cipher suites (B) 4 • Compression methods • Extensions

• " Server Hello 2 • Sent in response to Client Hello • Only when it can find acceptable set of algorithms • Includes 3 • Protocol version • Random (A) (B) • Session ID 4 • Cipher suite • Compression method • Extensions

• Hello Extensions 2 • Signature Algorithms • Which signature / hash pairs may be used

3 • Maximum Fragment Length • Set maximum SSL record fragment size (A) (B) 4 • Several more…

• " Server Certificate 2 • Server’s certificate chain sent to client • X.509v3 certificates • Must be compatible with selected key exchange 3 method

(A) 4 (B)

• " Server Key Exchange 2 • Sent when cert message doesn’t contain enough data for client to exchange premaster secret: • DHE_DSS 3 • DHE_RSA • DHE_ANON (A) (B) 4 *Or rather, when “ephemeral” suites are used.

• " (Certificate Request) 2 • Server request for client certificate 3 • Used when “mutual authentication” is done

(A) 4 (B)

• " Server Hello Done 2 • Indicates end of Server Hello 3 • After sending, server waits for client response

(A) 4 (B)

• Client Authenticates Server 2 • Using cert sent previously and loaded CA certs 3

(A) 4 (B)

• (Client Certificate) ! 2 • Only sent if server requests it 3 • If no cert available, must send empty one

(A) 4 (B)

• Client Key Exchange ! 2 • Sets the premaster secret: • RSA-encrypted premaster secret message 3 • Client DH public value

(A) 4 (B)

• Certificate Verify ! 2 • Used to provide explicit verification of the client certificate • Client signs some data* with private key 3 • Server tries to decrypt with public key

(A) 4 (B) *concatenation of all handshake messages thus far

• Change Cipher Spec ! 2 • Switches to agreed upon cipher suite, compression, etc. 3

(A) 4 (B)

• Finished ! 2 • Verifies that key exchange and authentication process was successful. • First message sent under negotiated algorithms, 3 keys, and secrets.

(A) 4 (B)

• " Change Cipher Spec 2 • Same purpose as client’s 3

(A) 4 (B)

• " Finished 2 • Same purpose as client’s 3

(A) 4 (B)

• Signals transitions in ciphering strategies 2 • Sent by both client and server

3 • Notifies receiving party that subsequent records will be protected under newly negotiated CipherSpec (A) and keys 4 (B)

• Convey severity and description of alert 2 • Either “warning” or “fatal” • Fatal results in immediate termination of connection 3 • Encrypted and compressed as per CipherSpec

(A) 4 (B)

• Layered protocol (Sending Side) 2 • Fragments input data into blocks • (optionally) compresses data • Applies MAC 3 • Encrypts

(A) • Transmits the result 4 (B)

• Layered protocol (Receiving Side) 2 • Decrypts received data • Verifies data (using MAC) • Decompresses 3 • Reassembles

(A) • Delivers result to higher level 4 (B)

ALGORITHMS, CIPHERS, AND PERFORMANCE

• Algorithms operating on fixed-length BLOCKS of data. • Use a symmetric key • Several types of operating modes: • ECB, CBC, CTR, … • Commonly-used block ciphers in SSL/TLS: • AES, DES, 3DES

• Mode of operation: ECB • ECB: Electronic Codebook Mode

Ref: Wikipedia: Block Cipher Modes of Operation

• But, ECB isn’t very secure:

Original Image Encrypted using ECB mode Modes other than ECB

Ref: Wikipedia: Block Cipher Modes of Operation

• Mode of Operation: CBC • CBC: Cipher Block Chaining Mode

Ref: Wikipedia: Block Cipher Modes of Operation

• Mode of Operation: CTR • CTR: Counter Mode

Ref: Wikipedia: Block Cipher Modes of Operation

• Symmetric key ciphers where plaintext digits are XOR’d with corresponding digit of keystream

• Typically execute at higher speed than block cipher. • Have lower hardware complexity

• Stream Cipher Examples: • RC4 (ARC4), RABBIT, HC-128, ChaCha20

• AEAD: Authenticated Encryption with Associated Data

• Block cipher mode providing confidentiality, integrity, and authenticity.

• MAC-then-Encrypt (MtE): MAC of plaintext, together with plaintext encrypted, then sent.

• AEAD Examples: • AES-GCM, AES-CCM, Poly1305

• Ideal hash function creates a message digest that is:

• Easy to compute for a given message • Infeasible to generate message that has given hash • Infeasible to modify message without changing hash • Infeasible to find two different messages with same hash

• Common hash (MAC) functions: • MD5, SHA-1, SHA-256, SHA-384, SHA-512

• Asymmetric algorithms (public / private key) • Public key used to encrypt, private key used to decrypt

• Algorithms: • RSA, ECC, DSA, DH, NTRU

RSA ECC PSK

+ Well established + Shorter keys w/ same security + Avoid expensive PK ops + Lower CPU usage + Key management convienence + Lower memory usage

NIST Recommended Key Sizes

Bits of Symmetric Key Hash Function RSA Key ECC Key Security Algorithm Size Size

80 3DES (2 keys) SHA-1 1024 160

112 3DES (3 keys) SHA-224 2048 224

128 AES-128 SHA-256 3072 256

192 AES-192 SHA-384 7680 384

256 AES-256 SHA-512 15360 521

NIST SP800-57: Recommendations for Key Management BlueKrypt: Cryptographic Key Length Recommendations

STRUCTURE, PRECEDENCE

• Combination of hash functions and algorithms:

Hash Functions: MD5, SHA-1, SHA-256, … Block and Stream Ciphers: AES, 3DES, RC4, RABBIT, … Public Key Algorithms: RSA, ECC, …

CIPHER SUITE

Protocol_keyexchange_WITH_bulkencryption_mode_messageauth

Examples: SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA

• In SSL/TLS, cipher suites have precedence over others • Varies from library to library • Can be specified by the application (through API) • Typically sorted by security level

CHAINS, GENERATION, AND CONVERSION

• X.509 is a standard for PKI (public key infrastructure)

• Some things specified by it include: • Public key certificates • Certificate revocation lists • Certificate path validation algorithm (CA / cert chain structure)

• Structure is expressed in ASN.1 syntax

• Certificate • Version • Serial Number • Algorithm ID • Issuer • Validity • Not Before • Not After • Subject • Subject Public Key Info • Public Key Algorithm • Subject Public Key • Issuer Unique Identifier (optional) • Subject Unique Identifier (optional) • Extensions (optional) • … • Certificate Signature Algorithm • Certificate Signature

• Filename Extensions: • .pem -----BEGIN CERTIFICATE----- • “Privacy-enhanced Electronic Mail” … … • Base64-encoded DER certificate -----END CERTIFICATE----- • .der, .cer, .crt • Binary DER form

• Others include • .p7b, .p7c (PKCS#7) – standard for signing/encrypting data • .p12 (PKCS#12) – bundle certs and private keys • .pfx (predecessor to .p12)

• A list of certificates followed by one or more CA certificates, where:

• The Issuer of each certificate matches the Subject of the next • Each cert is signed by the private key of the following cert • The last cert in the chain (although not sent in the SSL/TLS handshake) is the “root CA”

https://www.google.com

Equifax Secure Certiﬁcate Authority Root CA

GeoTrust Global CA Intermediate CA

Google Internet Authority G2 Intermediate CA

*.google.com Server Certiﬁcate

LIGHTWEIGHT SSL / TLS LIBRARY

Features • C-language based SSL/TLS library • Standards up to TLS 1.2 and DTLS 1.2 • Focused on size and speed optimization, progressive • Minimum footprint size of 20-100 kB • Minimum RAM usage: 1-36kB

• Web server integration (NGINX, Lighttpd, Mongoose, GoAhead) • OpenSSL Compatibility Layer • Hardware Crypto Support (including Freescale mmCAU / CAU / SEC) • Suite-B Compatible, FIPS 140-2 (Level 1) in process • Dual Licensed (GPLv2 and Commercial)

Algorithm Support

MD2, MD4, MD5, SHA-1, SHA-2, SHA-3, RIPEMD Hash Functions AES, DES, 3DES, Camellia Block Ciphers ARC4, RABBIT, HC-128, ChaCha20 Stream Ciphers AES-GCM, AES-CCM, Poly1305 Authenticated Ciphers RSA, ECC, DSS, DH, EDH Public Key Options HMAC, PBKDF2 Password-based Key Derivation

RED = Supports mmCAU Hardware Acceleration

Ability to take advantage of mmCAU Hardware Crypto

• CyaSSL is available for download as a patch to MQX RTOS & Kinetis SDK • Patch includes sample HTTPS server • (used in the upcoming lab session)

• CyaSSL tightly integrates with MQX / RTCS / MFS

• FREESCALE_MQX Defines Located In: • FREESCALE_MMCAU ./cyassl/ctaocrypt/settings.h (CyaSSL) ./wolfssl/wolfcrypt/settings.h (wolfSSL) • FREESCALE_K70_RNGA • FREESCALE_K53_RNGB

Visit www.freescale.com/ksdk 1

2 Click

3 Install 2nd 1st

Patch Licensing: Commercial Evaluation Only

• RTCS exposes SSL layer from the following header:

#include

KSDK_1.2.0/middleware/tcpip/rtcs/source/include

• Provides structure to hold keys, certs, and side:

typedef struct rtcs_ssl_params_struct { char* cert_file; char* priv_key_file; char* ca_file; RTCS_SSL_INIT_TYPE init_type; }RTCS_SSL_PARAMS_STRUCT;

• The SSL/TLS side is specified from the RTCS_SSL_INIT_TYPE structure:

typedef enum rtcs_ssl_init_type { RTCS_SSL_SERVER, RTCS_SSL_CLIENT }RTCS_SSL_INIT_TYPE;

• Available functions include:

void* RTCS_ssl_init(RTCS_SSL_PARAMS_STRUCT *params); void RTCS_ssl_release(void *ctx); uint32_t RTCS_ssl_socket(void* ctx, uint32_t sock); uint32_t RTCS_ssl_shutdown(uint32_t ssl_sock); int32_t RTCS_ssl_recv(uint32_t ssl_sock, void *buf, uint32_t len, uint32_t flags); int32_t RTCS_ssl_send(uint32_t ssl_sock, void *buf, uint32_t len, uint32_t flags);

“void* ctx” is a pointer to a CYASSL_CTX structure.

USING WIRESHARK TO INSPECT A TLS CONNECTION

1. Make sure an SSL/TLS server is running:

2. Open Wireshark

2. Observe traffic captured: • Make an HTTPS connection, notice data secured + TLS

Protocol Decoding Tip:

• After capturing traffic, navigate to: • Analyze -> Decode As -> SSL

• This will show you the SSL/TLS packets, ie: • “ClientHello”, “ServerHello”, etc.

• Please reference the lab manual passed out at the beginning of session.

WOLFSSL CHRIS CONLON FREESCALE COMMUNITY [email protected] [email protected] Freescale.com/community +1 (425) 245 - 8247

- Viewing certificates with “openssl x509” app - Converting and loading certificates into CyaSSL - mktfs (memory buffer gen tool)

- Optimizing CyaSSL for low resource devices - Overview of CyaSSL / wolfSSL code structure