Secure Industrial Device Connectivity with Low-Overhead TLS
Tuesday, October 3, 2017 1:10PM-2:10PM Chris Conlon
- Engineering Manager, wolfSSL - B.S. from Montana State University (Bozeman, MT) - Software engineer at wolfSSL (7 years)
Contact Info:
- Email: [email protected] - Twitter: @c_conlon A. – B. – C. – D. – E. F.
●
●
●
○
●
○ ● ○ ●
Original Image Encrypted using ECB mode Modes other than ECB ● ○ ● ○ ●
●
●
●
○ ●
●
●
●
○ ●
○ ○ ○ ○
● ○ ● ● ●
● ○ ●
● ○
By Original schema: A.J. Han Vinck, University of Duisburg-EssenSVG version: Flugaal - A.J. Han Vinck, Introduction to public key cryptography, p. 16, Public Domain, https://commons.wikimedia.org/w/index.php?curid=17063048 ●
○ ●
○
■
■
■ ●
○
■ ● ● ● ● ●
○
● ● ● ● ● ●
● ○ ○ ○ ○ ● “Progressive” is a subjective term
● These slides talk about crypto algorithms that are:
○ New, modern ○ Becoming widely accepted ○ Have been integrated into SSL/TLS with cipher suites ● ChaCha20 ● Poly1305 ● Curve25519 ● Ed25519
Created by Daniel Bernstein a research professor at the University of Illinois, Chicago
Chacha20-Poly1305 AEAD used in Google over HTTPS
Ed25519 and ChaCha20-Poly1305 AEAD used in Apple’s HomeKit (iOS Security) ● Fast stream cipher ● Based from Salsa20 stream cipher using a different quarter-round process giving it more diffusion ● Can be used for AEAD encryption with Poly1305 ● Was published by Bernstein in 2008
Used by ● Google Chrome ● TinySSH ● Apple HomeKit ● wolfSSL ● To provide authenticity of messages (MAC) ● Extremely fast in comparison to others
● Introduced by a presentation given from Bernstein in 2002 ● Naming scheme from using polynomial-evaluation MAC (Message Authentication Code) over a prime field Z/(2^130 - 5)
Used by ● Tor ● Google Chrome ● Apple iOS ● wolfSSL Generic Montgomery curve. Reference 5
Used by ● Tera Term ● GnuPG ● wolfSSL Generic Twisted Edwards Curve. Reference 6
1. Privacy + Prevent eavesdropping 2. Authentication + Prevent impersonation 3. Integrity + Prevent modification ● Current SSL / TLS / DTLS versions
● RFC 6101 ●
RFC 2246
RFC 4346
RFC 5246 ● ● ● ● ●
● Most TLS implementations run on top of a BSD socket API ● Since TLS sits ON TOP of the transport layer, you can theoretically run it on top of ANY transport medium: ○ Serial connection (RS-232) ○ Proprietary transport layer ○ Memory buffers ○ etc. ● Uses variety of crypto algorithms
Hash Functions SHA, SHA-256, ... Block and Stream Ciphers 3DES, AES, Camellia, ... Public Key Algorithms RSA, ECC, NTRU, ...
● A common CIPHER SUITE is negotiated during TLS Handshake
Protocol_keyexchange_WITH_bulkencryption_mode_messageauth
TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA ● Four sub-protocols: ● Responsible for negotiating a session, 1. Handshake Protocol includes: 2. Change Cipher Spec Protocol ○ Session identifier 3. Alert Protocol ○ Authentication (one-way or mutual) 4. Record Protocol ○ Using compression ○ Agreeing on set of algorithms ○ Calculation of master secret ● Four sub-protocols: ● Signals transitions in ciphering 1. Handshake Protocol strategies 2. Change Cipher Spec Protocol ● Sent by client and server 3. Alert Protocol 4. Record Protocol ● Notifies receiving party that subsequent records will be protected under newly negotiated CipherSpec and keys ● Four sub-protocols: ● Convey severity and description of 1. Handshake Protocol alert 2. Change Cipher Spec Protocol ● Either “warning” or “fatal” 3. Alert Protocol 4. Record Protocol ● Fatal results in immediate termination of connection
● Encrypted and compressed as per CipherSpec ● Four sub-protocols: 1. Handshake Protocol 2. Change Cipher Spec Protocol 3. Alert Protocol 4. Record Protocol ● TLS Record Header Format
● Handshake Protocol Format Client Hello
Hello Verify Request
● Client Hello Server Hello Certificate
○ Server Key Exchange
○ Certificate Request ■ Server Hello Done ■ ■ Certificate ■ Client Key Exchange
■ Certificate Verify ■ Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Client Hello Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Hello Verify Request Server Hello Certificate
○ Server Key Exchange
Certificate Request ○ Server Hello Done
Certificate
○ Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Server Hello Server Hello Certificate
○ Server Key Exchange
Certificate Request ○ Server Hello Done
Certificate
○ Client Key Exchange ■ Certificate Verify ■ ■ Change Cipher Spec ■ Finished
■ Change Cipher Spec ■ Finished Client Hello
Hello Verify Request
● Server Hello Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished ● Hello Extensions
○ ■
○ ■
○ Client Hello
Hello Verify Request
● Server Certificate Server Hello Certificate
○ Server Key Exchange
Certificate Request ○ Server Hello Done
○ Certificate
Client Key Exchange
Certificate Verify ○ Change Cipher Spec
○ Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Server Certificate Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Server Key Exchange Server Hello Certificate
○ Server Key Exchange
Certificate Request
Server Hello Done
○ Certificate
■ Client Key Exchange
Certificate Verify ■ Change Cipher Spec
○ Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
Server Hello ● Server Key Exchange Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● (Certificate Request) Server Hello Certificate
○ Server Key Exchange
Certificate Request ○ Server Hello Done
○ Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● (Certificate Request) Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Server Hello Done Server Hello Certificate
○ Server Key Exchange
Certificate Request ○ Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Server Hello Done Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● (Client Certificate) Server Hello Certificate
○ Server Key Exchange
Certificate Request ○ Server Hello Done
○ Certificate
Client Key Exchange
Certificate Verify ○ Change Cipher Spec
Finished ○ Change Cipher Spec
Finished Client Hello
Hello Verify Request
● (Client Certificate) Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Client Key Exchange Server Hello Certificate
○ Server Key Exchange
Certificate Request
Server Hello Done
○ Certificate
Client Key Exchange
Certificate Verify ○ Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Client Key Exchange Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Certificate Verify Server Hello Certificate
○ Server Key Exchange
Certificate Request
Server Hello Done ○ Certificate
○ Client Key Exchange
Certificate Verify ○ Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Certificate Verify Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Change Cipher Spec Server Hello Certificate
○ Server Key Exchange
Certificate Request ○ Server Hello Done
Certificate
○ Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Change Cipher Spec Server Hello Certificate
Server Key Exchange
Certificate Request
Server Hello Done
Certificate
Client Key Exchange
Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished Client Hello
Hello Verify Request
● Finished Server Hello Certificate
○ Server Key Exchange
Certificate Request
Server Hello Done ○ Certificate
Client Key Exchange ○ Certificate Verify
Change Cipher Spec
Finished
Change Cipher Spec
Finished ● X.509 is a standard for PKI (public key infrastructure) ● Some things specified by it include:
○ Public key certificates ○ Certificate revocation lists ○ Certificate path validation algorithm (CA / cert chain structure) ● Structure is expressed in ASN.1 syntax ● Filename Extensions: ○ .pem ■ “Privacy-enhanced Electronic Mail” ■ Base64-encoded DER certificate ○ .der, .cer, .crt ■ Binary DER form
● Others include ○ .p7b, .p7c (PKCS#7) – standard for signing/encrypting data ○ .p12 (PKCS#12) – bundle certs and private keys ○ .pfx (predecessor to .p12) ● Structure of X.509v3 ● Certificate ○ Version certificate is as follows: ○ Serial Number ○ Algorithm ID ○ Issuer ○ Validity ■ Not Before ■ Not After ○ Subject ○ Subject Public Key Info ■ Public Key Algorithm ■ Subject Public Key ○ Issuer Unique Identifier (optional) ○ Subject Unique Identifier (optional) ○ Extensions (optional) ○ … ● Certificate Signature Algorithm ● Certificate Signature ● A list of certificates followed by one or more CA certificates, where:
○ The Issuer of each certificate matches the Subject of the next ○ Each cert is signed by the private key of the following cert ○ The last cert in the chain (although not sent in the SSL/TLS handshake) is the “root CA”
August 2013 - Work on TLS 1.3 begins April 17, 2014 - Draft 00, 01 July 7, 2014 - Draft 02 October 27, 2014 - Draft 03 January 3, 2015 - Draft 04 ● In development for over 4 years now March 9, 2015 - Draft 05 June 29, 2015 - Draft 06 ● 21 drafts so far July 8, 2015 - Draft 07 August 28, 2015 - Draft 08 October 5, 2015 - Draft 09 October 19, 2015 - Draft 10 December 28, 2015 - Draft 11 February 2016 - TLS Working Group Workshop to analyze TLS 1.3 designs March 21, 2016 - Draft 12 May 22, 2016 - Draft 13 July 11, 2016 - Draft 14 August 17, 2016 - Draft 15 September 22, 2016 - Draft 16 October 20, 2016 - Draft 17 October 26, 2016 - Draft 18 March 10, 2017 - Draft 19 April 28, 2017 - Draft 20 July 3, 2017 - Draft 21 August 2013 - Work on TLS 1.3 begins April 17, 2014 - Draft 00, 01 July 7, 2014 - Draft 02 October 27, 2014 - Draft 03 January 3, 2015 - Draft 04 wolfSSL has implemented Drafts 18 and 20! March 9, 2015 - Draft 05 June 29, 2015 - Draft 06 July 8, 2015 - Draft 07 August 28, 2015 - Draft 08 October 5, 2015 - Draft 09 October 19, 2015 - Draft 10 December 28, 2015 - Draft 11 February 2016 - TLS Working Group Workshop to analyze TLS 1.3 designs March 21, 2016 - Draft 12 May 22, 2016 - Draft 13 July 11, 2016 - Draft 14 August 17, 2016 - Draft 15 September 22, 2016 - Draft 16 October 20, 2016 - Draft 17 October 26, 2016 - Draft 18 March 10, 2017 - Draft 19 April 28, 2017 - Draft 20 July 3, 2017 - Draft 21 Algorithm Changes ● Symmetric algorithm list has been pruned of all “legacy” algorithms ● Remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) ● Ciphersuite concept has changed to separate authentication and key exchange mechanisms from the record protection algorithm and a hash to be used with key derivation function and HMAC Zero-RTT Mode
● Performance enhancement ● Saves a round-trip at connection setup for some application data ● At the cost of some security properties More Encrypted Handshake Messages
● All handshake messages after the ServerHello are now encrypted ● New EncryptedExtension allows extensions previously sent in the clear in ServerHello to also be encrypted Redesigned Key Derivation Functions
● Allows for easier analysis by cryptographers due to improved key separation properties ● HMAC-based Extract-and-Expand Key Derivation Function (HKDF) used ECC is Included
● Now included in the base spec ● Includes new signature algorithms (ex: ed25519, ed448) ● Point format negotiation removed in favor of single point format per curve Other Crypto Improvements
● Removed ○ Compression ○ Custom DHE groups ○ DSA
● RSA padding changed to use PSS Version Negotiation Removed
● TLS 1.2 included version negotiation mechanism ● TLS 1.3 removes this in favor of a version list in an extension ● Increases compatibility with servers which incorrectly implemented version negotiation Session Resumption
● Session resumption with and without server-side state removed ● PSK-based ciphersuites of earlier TLS versions removed ● Replaced by a single new PSK exchange Supports 3 basic key exchange modes: a. (EC)DHE (both finite field and elliptic curve varieties) b. PSK-only c. PSK with (EC)DHE Using wolfSSL as a demonstration ● Make sure your application is compiled with the SAME preprocessor defines as the TLS library. ● When using Autoconf, simply include
#include
int main() { return 0; } ● The main wolfSSL header for SSL/TLS is
#include
int main() { return 0; } ● wolfSSL has two main structures: ○ WOLFSSL - SSL/TLS session ○ WOLFSSL_CTX - SSL/TLS context
#include
int main() { WOLFSSL_CTX* ctx; WOLFSSL* ssl;
return 0; } ● Initialize wolfSSL library
/* initialize wolfSSL library */ wolfSSL_Init();
● Optionally, enable debug output (also define DEBUG_WOLFSSL)
/* enable wolfSSL debug output */ wolfSSL_Debugging_ON(); ● Create wolfSSL context (ex: using TLS 1.2)
WOLFSSL_CTX* ctx; ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
● Enable (or set) peer verification
/* turn on peer verification, register verify callback */ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); ● Load trusted root CA certificate, from DER-formatted buffer
int ret; ret = wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_der_2048, sizeof(ca_cert_der_2048), SSL_FILETYPE_ASN1);
● Or from PEM or DER formatted file
int ret; ret = wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0); ● After socket has been created and connect()’ed, create wolfSSL session:
WOLFSSL* ssl; if ((ssl = wolfSSL_new(ctx)) == NULL) /* error out */
● Pass established socket file descriptor to wolfSSL
wolfSSL_set_fd(ssl, sockfd); ● Initiate SSL/TLS connection, do handshake with peer
/* client side */ /* server side */
ret = wolfSSL_connect(ssl); ret = wolfSSL_accept(ssl); if (ret != SSL_SUCCESS) if (ret != SSL_SUCCESS) /* error out */ /* error out */ ● Write data using:
ret = wolfSSL_write(ssl, msg, msgSz); ● And read data using:
ret = wolfSSL_read(ssl, reply, sizeof(reply));
● Shutdown SSL/TLS session:
wolfSSL_shutdown(ssl); ● And finally, free resources:
wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); wolfSSL_Cleanup(); ● PKI and X.509 Optimizations ● Algorithm Choices and Performance ● Footprint Optimization ● TLS Session Cache ● Hardware Crypto and Assembly Optimizations ● Stack vs. Heap Usage ● Math Library Selection ● TLS Record Size ● Use appropriate Key Sizes ○ Smaller = faster, less memory usage ○ Larger = more secure ● Remain conscious of algorithm selection
○ Some algorithms are more performant than others ○ Some algorithms require more/less memory ● Certificate formats affect footprint size (DER vs. PEM)
● Keep certificate chain lengths in mind when designing PKI Ref: NIST SP800-57 Part 1 keylength.com
Recommended key lengths across several organization recommendations.
● Take advantage of hardware cryptography
○ Reduces the footprint size by eliminating software algorithms
○ Increases performance vs. software crypto
● Take Advantage of Assembly Optimizations
○ Currently Available defines in wolfSSL:
TFM_X86 TFM_X86_64 TFM_SSE2 TFM_ARM TFM_PPC32 TFM_PPC64 TFM_AVR32 TFM_ASM ● Optimize footprint (FLASH usage) of library ○ Compile out unneeded algorithms ■ Example: “./configure --disable-arc4 --disable-sha” ○ Disable error strings ■ Remove strings corresponding to error codes ○ Disable debug symbols ■ Example: “./configure --disable-debug” ● Adjust the Session Cache
○ TLS Session Cache sizes are configurable (wolfSSL defaults to 33 sessions, about 3k RAM)
■ NO_SESSION_CACHE ● Save ~3kB ■ SMALL_SESSION_CACHE ● 6 sessions (less than 500 bytes RAM) ■ MEDIUM_SESSION_CACHE ● 1055 sessions (200 sessions/minute) ■ BIG_SESSION_CACHE ● 20,027 sessions ■ HUGE_SESSION_CACHE ● 65,791 sessions (13,000 sessions/minute or over 200/second) ● Preference between stack vs heap allocation?
○ Different math library choices
○ Different compile-time build options
○ Performance of memory on stack vs heap ● RSA Cipher Suites (wolfSSL)
Math Library Key Size Peak Stack Use Peak Heap Use
fastmath 1024 10k 9k
fastmath 2048 13k 11k
normal 1024 6k 14k
normal 2048 7k 17k ● ECC Cipher Suites (wolfSSL)
Math Library Key Size Peak Stack Use Peak Heap Use
fastmath 256 7k 12k
normal 256 6k 15k ● wolfSSL fastmath notes
○ FP_MAX_BITS should be set to twice the maximum key size if key is modable by 32 ■ For 2048-bit RSA keys, should be set to 4096 ■ For 256-bit ECC keys, should be set to 512 ■ Non-32 multiple sizes should be (keysize * 2) + size of digit bit (32 typically)
○ TFM_TIMING_RESISTANT ■ Reduces stack usage
○ ECC_TIMING_RESISTANT ■ Reduces heap usage, but slower ● TLS Record Size
○ RFC specified maximum as 2^14 bytes (plus some overhead)
○ Can be reduced in two ways:
■ Manually lowering the buffer size on client and server ● Must control both client and server
■ Using the TLS Maximum Fragment Length Extension ● Server must support, otherwise ignores