BRKSEC-3015 TLS Decryption on Cisco Security Devices Tobias Mayer, Technical Solutions Architect Cisco Spark Questions? Use Cisco Spark to communicate with the speaker after the session How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Abstract This advanced session will discuss the approach how we can decrypt TLS encrypted web traffic to be able to inspect it and what challenges we are facing in an enterprise environment. For this, we need to be able to understand how TLS is working and what is required to decrypt this traffic.The second section will then include some best practices for Cisco security products dealing with TLS decryption such as Firepower, WSA and Umbrella. The last part will give an introduction to encrypted protocols such as HTTP/2, TLS 1.3 and QUIC. Those protocols are making it harder to decrypt certain traffic flows and we need to think about complementing technologies that still enforce security in the network. As additional food for thought we will quickly also touch on OCSP Stapling and Google's Certificate Transparency, which are interesting additions to the TLS landscape.This session is intended for network and security architects that want to get a deeper understanding of decryption of web traffic in the enterprise. Attendees should be familiar with the overall concept of HTTP, HTTPS and TLS. BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Me… CCIE Security #14390, CISSP & Motorboat driving license… Working in Content Security & TLS Security tmayer{at}cisco.com Writing stuff at “blogs.cisco.com” BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 “Hey, I am going to present on Web Decryption for 2 hours!” BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Agenda • Introduction • Understanding TLS • Configuring Decryption on the WSA • Configuring Decryption on Cisco Firepower • Configuring Decryption on Umbrella • Thoughts about the future • Certificate Transparency & OCSP Stapling • HTTP/2 , TLS 1.3 & QUIC For Your Reference • There are (many...) slides in your print-outs that will not be presented. • They are there “For your Reference” For Your Reference BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Big push for encryption • Microsoft pushing TLS with PFS • Apple demanding transport security • Browser Vendors aggressively pushing https • Problems with older TLS versions leading to upgrade of servers to newer protocols and ciphers • Poodle, Freak, Beast, …. • Google, FB, Twitter encrypting all traffic • HTTPS usage influencing page ranking on google • Deprecate SHA1, only SHA2+ BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Google Search Engine • Google ranking influenced by using HTTPS • http://blog.searchmetrics.com/us/2015/ 03/03/https-vs-http-website-ssl-tls- encryption-ranking-seo-secure- connection/ BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Understanding TLS TLS Versions • SSLv3, 1996 • TLS 1.0, 1999, RFC2246 • TLS 1.1, 2006, RFC4346 • Improved security • TLS 1.2, 2008, RFC5246 • Removed IDEA and DES ciphers • Stronger hashes • Supports authenticated encryption ciphers (AES-GCM) • TLS 1.3, currently Internet Draft BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Some Attacks… • POODLE • SSLv3 Problems with Padding, turn of SSLv3 • BEAST • Know issues in CBC mode, use TLS 1.1/1.2 with non-CBC mode ciphers (GCM) • CRIME/BREACH • Compression Data Leak, disable compression in TLS (CRIME), HTTP Compression still there • Lucky13 • Problem with Padding still exists with CBC Ciphers, use TLS 1.2 with AEAD (GCM) • Freak • Downgrade to RSA_EXPORT, disable EXPORT CIPHERS, use TLS 1.2 • Logjam • Force client to downgrade to DHE_EXPORT Grade ciphers, disable DHE_EXPORT Ciphers, use TLS 1.2 BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 TLS Versions • SSLv3, 1996, broken by Poodle • TLS 1.0, 1999, RFC2246, weakend by BEAST & Lucky13 • TLS 1.1, 2006, RFC4346, weakend by Lucky13 • Improved security • TLS 1.2, 2008, RFC5246 • Removed IDEA and DES ciphers • Stronger hashes • Supports authenticated encryption ciphers (AEAD, i.e. AES-GCM) • TLS 1.3, currently Internet Draft BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 How is the encryption of the target website? BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Cipherstrings Protocol used Key Exchange Authentication TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Symmetric Encryption Hash to verify integrity used BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Old and modern ciphers old modern Protocol SSL TLS Key exchange RSA EC(DHE) * Authentication RSA EC(DSA) Encryption 3DES, RC4 AES algorithm Encryption mode CBC GCM MAC SHA, MD5 SHA256,SHA368 * Ephemeral DH provides PFS BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 PFS – Perfect Forward Secrecy • Using RSA key for authentication and key generation is putting our traffic vulnerable to offline attacks • Someone might record out traffic and years later, compromise our Server, get the private key and decrypt all traffic. • Diffie-Hellman (DH) is a method to prevent this, but: • With static DH, the DH parameters are actually again the private key… • DHE is using unique keys for every session, this is called Perfect Forward Secrecy • Dynamic parameters for the DH Session are never stored and never re-used BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 PFS - Example • DHE Ciphers use PFS • But are heavy to compute… • ECDHE Ciphers use Ecliptic Curves and provide PFS • Much better performance • Especially in Software BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 AEAD – Authenticated Encryption https://en.wikipedia.org/wiki/Authenticated_encryption • Authenticated Encryption with associated data • CBC (confidentiality) + HMAC(integrity) vs. AE(confidentiality & integrity) • GCM is the most popular Algorithm https://en.wikipedia.org/wiki/Galois/Counter_Mode • No License and fast computing • Implemented in OPENSSL BRKSEC-3005 Cryptographic Protocols and Algorithms - a review BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 AEAD – Authenticated Encryption (2) https://www.imperialviolet.org/2015/05/16/aeads.html • AE (key, plaintext) -> Ciphertext • Same plaintext letter results in same ciphertext letter (“hello” -> “&%$$”) • AE (key, plaintext, nonce) -> Ciphertext • Nonce needs to be distinct! • Need to send it along with the ciphertext • Problem: order of the messages! • AEAD (key, plaintext, nonce, ad) -> Ciphertext • “ad” is the associated data, can be a counter. • RULE: The combination of “nonce” and “ad” shall never be the same for all time! BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Ciphers explained Name Prot Kx Au Enc Bits Mac TLS_RSA_WITH_RC4_128_MD5 TLS RSA RSA RC4_128 128 MD5 TLS_DH_RSA_WITH_DES_CBC_SHA TLS DH RSA DES_CBC 56 SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS DHE RSA AES_128_CBC 128 SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS ECDH ECDSA AES_256_CBC 256 SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS ECDHE RSA AES_256_GCM 256 SHA384 BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Ciphers explained (2) • TLS_EMPTY_RENEGOTIATION_INFO_SCSV Cipher is sent to indicate that if the server wishes to renegotiate any parameters, this is only supported over the secure connection. Renegotiation over plaintext will not be accepted • TLS_FALLBACK_SCSV Cipher is sent by the client when a previous connection with a higher protocol was not successful for whatever reason (TLS 1.2 -> TLS 1.0) Server who supports this cipher can now see that the session was “downgraded” BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 TLS Handshake Client Server BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 TLS Handshake Client Server ClientHello BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 TLS Handshake Client Server ClientHello ServerHello BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 TLS Handshake Client Server ClientHello ServerHello ServerCertChain & (SrvKeyExchg) BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 TLS Handshake Client Server ClientHello ServerHello ServerCertChain & (SrvKeyExchg) Verify Server Certificate & Check Crypto Parameters BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 TLS Handshake Client Server ClientHello ServerHello ServerCertChain & (SrvKeyExchg) Verify Server Certificate & ClientKeyExch Check Crypto Parameters BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 TLS Handshake Client Server ClientHello ServerHello ServerCertChain & (SrvKeyExchg) Verify Server Certificate & ClientKeyExch Check Crypto Parameters ChangeCipherSpec ClientFinished BRKSEC-3015 © 2018 Cisco and/or its affiliates. All rights reserved.