Cryptography and Encryption Basics

Home , Padding oracle attack, Timing attack

PRESENTED BY:

•

SSL1 and SSL2 SSL3 TLS 1.0 TLS 1.1 TLS 1.2 Created by Netscape Created by Netscape to Standardized SSL3 with Security fixes and TLS Added support for and contained address SSL2 flaws almost no changes extensions authenticated significant flaws RFC2246 RFC4346 encryption (AES-GCM, CCM modes) and removed hard-coded primitives RFC5246

1994 1995 1999 … 2006 2008

Things get complicated First set of public SSL exploits August 2009 RFC 5746 BEAST & CRIME Lucky 13 RC4 Attacks TIME Heartbleed Insecure renegotiation TLS extension for Client-side or MITB Another timing attack Weakness in CBC A refinement and The end of the Internet vulnerability exposes secure renegotiation attacks leveraging a cipher making plaintext variation of CRIME as we know it! all SSL stacks to DoS quickly mainstreamed chosen-plaintext flaw in guessing possible attack TLS 1.0 and TLS compression flaws

August February September March March April … February 2009 2010 2011 2013 2013 2013 2014 POODLE Padding oracle attack on SSLv3

Dire POODLE Padding oracle attack on TLS

FREAK Implementation attack on export ciphers OpenSSL NSS GnuTLS Apple Microsoft Secure Transport SCHANNEL CVE-2014-0160 CVE-2014-1544 CVE-2014-3566 CVE-2014-1295 CVE-2014-6332 LogJam Implementation attack on weak DH Let’s Encrypt HTTP/2 Google stops using Launched to provide HTTP released as RFC RC4 and SSLv3 free certificates with 7540. Google EOL’s Let’s Keep Encrypting TLS 1.3 Google leads the way automated issuance SPDY. HTTP/2 doesn’t Let’s Encrypt has 20 TLS 1.3 published require encryption but by deprecating obsolete MILLION active August 10, 2018 all major browsers encryption standards certificates RFC8446 implement it

2015 May 2015 2016 … 2017 2018

August 14th, 2018 You’re reading these slides

Authentication & NonAvailability-Repudiation SSL – Secure Sockets Layer A suite of protocols created by Netscape in 1994 to secure data on the wire

TLS – Transport Layer Security Standardized update to SSL (RFC5246)

Cryptography The science and study of transforming information in order to make it secure from unintended recipients

PKI (Public Key Infrastructure) An architecture that provides asymmetric cryptography and a trust model that binds certificate subjects and issuers Proxies + (Traditional) Load balancers Hubs Switches Routers Most firewalls SSL/TLS HTTP

Physical Data Link Network Transport Session Presentation Application HTTP SSL TCP IP HEADERS Request Wire HTTP HTTP SSL TCP PAYLOAD HEADERS Browsers HTTP HTTP SSL PAYLOAD HEADERS

HTTP HTTP PAYLOAD HEADERS

HTTP PAYLOAD Transport Layer Security

Modes of Certificate PRNG Operation Authorities

Message Authentication Signatures Revocation Code

Symmetric Asymmetric Certificates Encryption Encryption

TLS 1.2 Handshake Protocol – Basic Handshake Client Server ClientHello

ServerHello Specifies theContains highest the TLS chosen protocol protocol version version, supported, a random a random number, a list of suggested CipherSuites, number,Contains CipherSuite the servers, compression public key and method optionally and anythe Certificate suggested compression methods and extensions additionalcertificate supported trust chain extensions. ServerHelloDone Indicates handshake negotiation is complete

Client ClientKeyExchange Server Contains a PreMasterSecret, public key or nothing ChangeCipherSpec (dependsTells the serveron cipher). that all If afollowing PreMasterSecret traffic willis be Finished Contains a hashincludedauthenticated and MACit is encrypted of and the encrypted previous with the message. servers Public Key HandshakeServer complete will attempt and todecrypted decrypt anddata verify is passed the hash to theand higher MAC. layer If decryptionon both ends or validationof the connection fails the connection is killed ChangeCipherSpec Tells the client that all the following traffic will be Contains a hash and MAC of the previous message. Finished authenticatedServer and will encrypted attempt to decrypt and verify the hash and MAC. If decryption ApplicationDataor validation fails the connection is killed Cipher Suite

Key Signature Bulk Encryption Message Elliptic Exchange/ Authentication Curve Agreement

Public key size is NOT part of the cipher string! Ciphers and why they matter •

•

TLS weaknesses

CBC-based ciphers TLSv1.0 Diffie-Hellman • Broken by BEAST and other attacks • Key exchange broken by LogJam • BEAST (initialization vector abuse) • CRIME (compression abuse) • POODLE and DIRE POODLE (padding oracle) TLSv1.1 • Lucky 13 (timing) • Sometimes broken

SSLv3 TLSv1.2 • Broken in OpenSSL by Heartbleed • Completely broken by POODLE (patched)) R.I.P 3DES C • Found to be equivalent to 112-bits BC SSL3 3DE RC4 S - RC4 • Not CBC but weak and probably broken SHA1

SHA1 • Weak – industry moving away from it TLS 1.3 Handshake Protocol – Basic Handshake

Client Client Hello, Supported Cipher Suites, Guesses Key Agreement Server protocol, Key Share

Similar to 1.2 handshake, however the client sends the list of supported ciphers suites and guesses which key agreement the server is likely to selectServer Hello, Key Agreement protcol, Key Share, Server finished Server replies with the key agreement protocol.

Client “Server Hello” also comprises the servers key Server share, its certificate as well as the Server finished message Checks Certificate, Generates Keys, Client finished Now, the client checks the server certificate, generates keys as it hasApplication the key share Data of the server, and sends the “Client Finished” message. From here on, the encryption of the data begins. Why you want PFS, EC, and TLS 1.3 •

• • • TLS best practices

Only generate RSA or ECDSA keys Keep private keys private Minimum 2048–bit for RSA and 256-bit for ECDSA

Choose the right type of certificate Certificate signing should use SHA256 Domain, Organization, or Extended Validation

For public sites use TLS1.2, 1.3 Use a strong cipher Disable SSLv3 unless you have a good reason otherwise Something that has at least 128-bits of security

Use Perfect Forward Secrecy if possible Encrypt all or nothing Avoid RSA key exchange and prefer ECDHE over DHE Use HSTS (on all subdomains) to extend this

F5 Security Incident Response Team

[email protected] Thank You