OverviewofTLSv1.3What’snew,what’sremovedand

what’schanged?

AboutMe

• AndyBrodie– WorldpayPrincipalDesignEngineer.

– BasedinCambridge,UK.– andy.brodie@owasp.org

• Neitheracryptographernoramathematician!– Thismeansnomathsinthispresentation.

Agenda

• History&Background.

• What’sBeenRemoved.

• What’sNew&Changed.– CipherSuites.

– HandshakeChanges.

– Hashed-KeyDerivationFunction.

– SessionResumption.

• Summary.

3

HISTORY&BACKGROUNDTheGoalsandBasicsofTLS

4

HowSSLbecameTLS

5

When Who What Comments

1994 Netscape SSL1.0designed. Neverpublishedassecurityflawswerefoundinternally.

1995 Netscape SSLv2.0published. Flawsfoundprettyquickly,whichledto…

1996 Netscape SSLv3.0published. SSLbecomesubiquitous.

1999 IETF TLSv1.0published(SSLv3.1) Incrementalfixes,politicalnamechangeandIETFownership.

2006 IETF TLSv1.1published(SSLv3.2) Incrementalfixesandcapabilities.

2008 IETF TLSv1.2published(SSLv3.3) Whatweshouldallbeusing!

2014 IETF TLSv1.3draft1(SSLv3.4)

2018 IETF TLSv1.3draft23 ExpiresJuly15

Stoptoconsidertheawesomeness!

AClientandServercanhaveasecureconversationoveraninsecuremediumhavingnevermetbefore.

Whatisasecureconversation?

• Privacy– Conversationmustbeencrypted.– Preventeavesdroppingattacks.

• Integrity– Client&Servermustbeabletodetectmessagetampering.– PreventManInTheMiddle(MITM)attacks.

• Authentication– Clientneedstotrustthey’retalkingtotheintendedserver.– Preventimpersonationattacks.

TLSachievesthisusingvarioustechniques…

• Privacy– Symmetrickeyencryptionforapplicationdata.– TypicallyAdvancedEncryptionStandard(AES).

• Integrity– AuthenticatedEncryptionwithAdditionalData(AEAD).– UsuallyAES-GCM(Galois/CounterMode)ciphermode.

• Authentication– X509certificatessignedbyamutuallytrustedthirdparty.– Typicallyserverauthenticatedonly.

FlowofmessagesinaTLSconversation

9

Handshake

Alert

OpenSocket

CloseSocket

ApplicationData

FlowofmessagesinaTLSconversation

• Handshake– Agreeaciphersuite.– Agreeamastersecret.– Authenticationusingcertificate(s).

• ApplicationData– Symmetrickeyencryption.– AEADciphermodes.– TypicallyHTTP.

• Alerts– Gracefulclosure,or– Problemdetected.

10

Handshake

Alert

OpenSocket

CloseSocket

ApplicationData

TLSV1.3https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html

KeyGoalsofTLSv1.3

• KeyGoalsofTLSv1.3:– Cleanup-Removeunsafeorunusedfeatures.

– Security-Improvesecurityw/moderntechniques.

– Privacy-Encryptmoreoftheprotocol.

– Performance–1-RTTand0-RTThandshakes.

– Continuity–Backwardscompatibility.

12

WHAT’SREMOVEDINTLSV1.3?

13

What’sremovedinTLSv1.3

• KeyExchange– RSA

• Encryptionalgorithms:– RC4,3DES,Camellia.

• CryptographicHashalgorithms:– MD5,SHA-1.

• CipherModes:– AES-CBC.

• Otherfeatures:– TLSCompression&SessionRenegotiation.– DSASignatures(ECDSA≥224bit).– ChangeCipherSpecmessagetype&“Export”strengthciphers.– Arbitrary/Custom(EC)DHEgroupsandcurves.

14

Thishasmitigatedquiteafewattacks…

15

RC4• Roos’s Bias 1995 • Fluhrer, Martin & Shamir 2001 • Klein 2005 • Combinatorial Problem 2001 • Royal Holloway 2013 • Bar-mitzvah 2015 • NOMORE 2015

MD5&SHA1• SLOTH 2016 • SHAttered 2017

AES-CBC• Vaudenay 2002 • Boneh/Brumley 2003 • BEAST 2011 • Lucky13 2013 • POODLE 2014 • Lucky Microseconds 2015RSA-PKCS#1v1.5Encryption

• Bleichenbacher 1998 • Jager 2015 • DROWN 2016 Compression

• CRIME 2012Renegotiation

• Marsh Ray Attack 2009 • Renegotiation DoS 2011 • Triple Handshake 2014

3DES• Sweet32

WHAT’SNEWANDCHANGED?

16

What’sNewandChanged?

• CipherSuites.

• Handshake.

• Hashed-KeyDerivationFunction(HKDF).

• KeySchedule.

• Sessions.

17

CIPHERSUITES

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Protocol

KeyExchange

AEADCipherMode

PRFHashAlgorithm

Authentication

TLSv1.2provides37CipherSuites

• TLS1.2specifies37ciphersuites.– Addpreviousversionsin:319ciphersuites.

TLS1.3CipherSuites

• TLSv1.3supports5ciphersuites.– TLS_AES_128_GCM_SHA256– TLS_AES_256_GCM_SHA384– TLS_CHACHA20_POLY1305_SHA256– TLS_AES_128_CCM_SHA256– TLS_AES_128_CCM_8_SHA256

20

TLS_AES_128_GCM_SHA256

AEADCipherMode

HKDFHashAlgorithm

Protocol

Whathappenstokeyexchangeandauthenticationthen?

• KeyExchangealgorithms:– DHE&ECDHE

• Only5ECDHEcurvegroupssupported• Only5DHEfinitefieldgroupssupported

– Pre-SharedKey(PSK)– PSKwith(EC)DHE

• DigitalSignature(Authentication)algorithms:– RSA(PKCS#1variants)– ECDSA/EdDSA

21

HANDSHAKECHANGES

TLSHandshake

• Thehandshakehasthreegoals:– Agreeaciphersuite.

– Agreeamastersecret.

– EstablishtrustbetweenClient&Server.

• Optimiseforthemostcommonusecases.– Everyone*wantsasecureconversation.

– Sameciphersuitesusedacrosswebsitesrepeatedly.

– Clientsconnecttothesamesitesrepeatedly.

23*ok,almosteveryone!

TLS1.2Handshake

ThreeStagesofaTLS1.3Handshake

25

KeyExchange

ServerParameters

Authentication

Clientnowmakesassumptionsaboutserversupport.

• Clientsends:– CipherSuiteoptions.– Listofsupportedgroups/curves.– (EC)DHEKeyShare(s).

• Serversends:– Ciphersuiteselection.– (EC)DHEKeyShare

• ClientandServernowshareakey.

26

Therestofthehandshakeisencrypted.

• Serversends:– EncryptedExtensions

• ServerName

• MessageLength

• …andoptionallymanymore

– CertificateRequest• Supportedsignaturealgorithms.

27

Clientnowmakesassumptionsaboutserversupport.

• Serversends:– Certificate.– Proofofprivatekeypossession.– Finished.– ApplicationData

• Clientresponds:– Certificate.– Proofofprivatekeypossession.– Finished.

28

EfficiencyGains

29

GENERATINGKEYSUSINGHKDF

30

HKDF(RFC5869) HMAC-basedKeyDerivation

Function

• TLS<=v1.2definesPRFalgorithm.

• TLSv1.3replacesthiswithHKDF.– HKDFencapsulateshowTLSusesHMAC.– Re-usedinotherprotocols.– Separatecryptographicanalysisalreadydone.

• Provides2functions:– Extract-createapseudo-randomkeyfrominputs.– Expand-createmorekeysfromtheextractoutput.

• HMACisintegraltoHKDF.– HMACrequirestheCryptographicHashalgorithmspecifiedinthecipher

suite(SHA256orSHA384).

31

HowthePRFisimplemented

32

KeyMaterial

HMAC(SHA-256)label+seed

PRF(secret,label,seed)

P_HASH(secret,label+seed)

TLS<=v1.2CreatingKeyMaterialfromamastersecret

Pre-masterSecret MasterSecret KeyMaterial

ServerWriteKey

ClientWriteKey

ClientWriteIV

ServerWriteIV

ServerMACKey

ClientMACKey

48bytes>=46bytes ∞

PRF

PRF

TLSv1.3KeyScheduleGeneration

34

ClientEarlyTrafficSecretBinderKey

HandshakeSecret

ClientTrafficHandshakeSecret

ServerTrafficHandshakeSecret

(EC)DHE

ClientApplicationTrafficSecret0

DeriveSecret

PSK EarlySecret

0

EarlyExporterMasterSecret

MasterSecret

DeriveSecret

0

ServerAppTrafficSecret0

ExporterMasterSecret

ResumptionMasterSecret

ClientApplicationTrafficSecretN

ServerAppTrafficSecretN

Derive-Secret

HKDF-Expand-Label

HKDF-Extract

Derive-SecretFixed

PSKTicketNNonceN

PRE-SHAREDKEYSANDSESSIONSWhat’sthedifference?

35

Whydoweneedsessions?

• Fullhandshakesareexpensive.– Keygeneration.

– Server(&Client)Authentication.

• ManyHTTPclientsneedit.– Downloadwebpageresources(JS,CSS,images).

– Dynamicwebpages(XHR).

– Maynotbefeasibletokeepconnectionopen.

36

HowdoweestablishaPSK?

• Out-of-band– AddedtoTLSin2006viaRFC4279.

• DuringHandshake– Clientannouncesitsupportssessionresumption.– ServerprovidesaPSKidentitiesduringhandshake.

• Afterhandshake,Serversends“NewSessionTicket”– ContainsPSKidentity,nonceandmaxage.– ThePSKisderivedfrommastersecret.– Servercansendmultipletickets.

37

So,TLSv1.3supportsPSK-basedsessionresumption

38

becomes…

WhataboutZeroRoundTripTime(0-RTT)?

• PSKmeansthekeyisknowntobothsides.– DoesthismeanClientcansenddataimmediately?

– Canwehaveazeroroundtriptimehandshake?

39

Yes,wecan!• But…

– Noforwardsecrecyforthe“earlydata”sentbyclient.

– Noguaranteesofnon-replay.

So,TLSv1.3supportsPSK-basedsessionresumption

40

becomes…

BACKWARDSCOMPATIBILITYExtensions…Extensionseverywhere!

41

BackwardsCompatibility

• Backwardscompatibilityisimportant– TLSv1.3clientsneedtotalktoTLSv1.2servers.– TLSv1.2clientsneedtotalktoTLSv1.3servers.

• StructureofHellomessagesismaintained.– 12extensionsdefinedintheRFC.– 9extensionsdefinedinotherRFCs.

• E.g.serverkeyexchangemessagereplacedwithkey_shareextension.

42

Alltheextensions

43

Extension TLS1.3

server_name[RFC6066] CH,EE

max_fragment_length[RFC6066] CH,EE

status_request[RFC6066] CH,CR,CT

supported_groups[RFC7919] CH,EEsignature_algorithms[RFC5246] CH,CR

use_srtp[RFC5764] CH,EE

heartbeat[RFC6520] CH,EE

application_layer_protocol_negotiation[RFC7301] CH,EE

signed_certificate_timestamp[RFC6962] CH,CR,CT

client_certificate_type[RFC7250] CH,EEserver_certificate_type[RFC7250] CH,CT

padding[RFC7685] CH

key_share CH,SH,HRR

pre_shared_key CH,SH

psk_key_exchange_modes CH

early_data CH,EE,NSTcookie CH,HRR

supported_versions CH

certificate_authorities CH,CR

oid_filters CR

post_handshake_auth CH

Acronym Message

CH ClientHello

SH ServerHello

EE EncryptedExtensions

CT CertificateCR CertificateRequest

NST NewSessionTicket

HRR HelloRetryRequest

BackwardsCompatibilityConsiderations

• ProtocolVersionismentionedineverymessage.– Nowdeprecated/fixedtooldversionvalues

– Handshakeclaims1.2,AppDataclaims1.0.

– Newextensionspecifieslistofsupportedversions.

• Fixedvaluestopreventdowngradeattacks.– Server“Random”hasfixedlast8bytes

• DOWNGRD[0x01]forTLS1.2clients.

• DOWNGRD[0x00]for<=TLS1.1clients.

44

Andthat’sTLSv1.3!

• Removed– Anythingthatwasunused,unsafeordidn’toffersignificantvalue.

• Added– Handshakeencryption.– 1-RTTand0-RTTPSK/SessionResumption.

• Changed– CipherSuites.– Handshake.– Hashed-KeyDerivationFunction(HKDF).– KeySchedule.– Sessions.

45

THANKYOUFORLISTENING!

Myownthoughts?

• TheGood:– Massiveefficiencygains*.

– FewerchoicesforClient&Servermeansreducedattackvectors.

• TheBad:– “Extensions….extensionseverywhere”(21)

– Alotofaddedcomplexityforbackwardscompatibility.

– Specificationconsumabilityisquestionable.

47*0-RTThasa“whiffoffutureregret”aboutit.

APPENDIXUnusedSlides

48

What’sthepointofthemastersecret?

• ClientandServerneed:– Keysforsymmetricencryption.– InitialisationVectorsforAEADCipherModes.

• Keys&IVsgeneratedfromamastersecret.

• TLSdefinesa“KeySchedule”– HowHKDFalgorithmisused.– Howtogenerateaninfiniteamountofsecurekeymaterial.

• So,howdoesHKDFwork?

49

HMAC(ISTHENEWPRF)HMAC-basedExtract-and-ExpandKeyDerivationFunction

50

WhatisHKDFusedfor?

• KeySchedules– HandshakeSecrets.– EarlyTrafficSecrets.– MasterSecret.– ApplicationDataSecrets.– InitialisationVectors.

• TranscriptHashes– CertificateVerification.– Handshake“Finished”Keys.

51

HKDF(RFC5869) HMAC-basedExtract-and-ExpandKeyDerivationFunction

• TLS<=v1.2definesPRFalgorithm.– HKDFencapsulateshowTLSusesHMAC.– Re-usedinotherprotocols.– Separatecryptographicanalysisalreadydone.

• Provides2functions:– Extract-createapseudo-randomkeyfrominputs.– Expand-createmorekeysfromthefirstkey.

• HMACisintegraltoHKDF.

52

CryptographicMACFunction:HMAC

• ItcreatesaMessageAuthenticationCodeusing:– Messagedata.

– Asharedkey.

– Acryptographichashalgorithm(setinciphersuite).

• SHA256orSHA384.

53

MessageAuthenticationCodes-Integrity

• Keyed-HashMessageAuthenticationCode

54

Ight

message

0x5c5c5c5c5c5c5c…

HMAC

hash

XOR

XOR’dSecretKey

0x36363636363636…

XOR’dSecretKey

XOR

hash

hash

HKDFExtract&Expand

• Extract– CreatesaPseudo-RandomKey(PRK)

Expand– CreatesinfinitekeymaterialfromthePRK.

– IterativelycallsHMACwithanincreasingcounter.

55

HKDF-Expand(PRK,info,L)->OKMT(0)=emptystring(zerolength)T(1)=HMAC-Hash(PRK,T(0)|info|0x01)T(2)=HMAC-Hash(PRK,T(1)|info|0x02)…

HKDF-Extract(salt,IKM)->PRKPRK=HMAC-Hash(salt,IKM)

However,it’sunfortunatelynotthatsimple…

56

“tls13“

char[6]

Label

Variable[12]

Length

enum

HashValue

Variable[255]

Messages[1]

Variable

Messages[n]

Variable

Messages[0]

Variable

…Hash( )

Derive-Secret(Secret,Label,Messages[])=

HKDF-Expand(

Hash.Length)

Secret,

,

ClientsaysHello

57

CHParameter Description Notes

ProtocolVersion Legacyslotforprotocolversion.

0x0303TLSv1.2

Random TheClientRandom NomoreUnixtime

SessionID SessionID Forced0bytelength

CipherSuites Symmetriccipheroptions OneofFive

CompressionMethods N/A Mustspecifynotsupported.

SupportedVersions Listofuint16 0x0304(TLSv1.3)

SignatureAlgorithms Listofsupported RequiredforClientCertAuth

NegotiatedGroups Requiredfor(EC)DHE

KeyShare Requiredfor(EC)DHE

Pre-SharedKey RequiredforPSK(incl.sessionresumption)

FirstContact:ClientHello

• Clientinitiatestheconnection.• Contents:

– Version(Legacy)• Unused,mustbesetto0x0303(TLSv1.2)

– ClientRandom• UsedinPRFtocreatemastersecret.

– SessionID(Legacy)• Ignored,keptforbackwardscompatibility.

– SupportedCipherSuites• Whatciphersuitesthisclientcansupport.

– Compression(Legacy)• Ignored,keptforbackwardscompatibility

– Extensions(TLSv1.3)• ListofsupportedTLSversions(mandatory)

– Extensions(Others)• Otherextensions,e.g.SNI

58

RSAKeyExchange&ForwardSecrecy

• TheproblemwithRSAkeyexchange:– Thepre-mastersecretisalwaysencryptedwiththepubliccertificatekeyinthecertificate.

– Thecertificatedoesn’tchange(often).

– Iftheprivatekeywasevercompromised,Evecouldreadeveryconversation.

59

SHA-1&MD5Weaknesses

• Cryptographichashalgorithmfeatures:– Findanymandm’suchthathash(m)=hash(m’)– Findm’givenmsuchthathash(m)=hash(m’)– Findmgivenxsuchthathash(m)=x

• MD5vulnerabilities:– Collisionattack–done.– Theoreticalattackonpre-image(2123operations).

• SHA-1vulnerabilities:– Collisionsattack–given6500CPU-yearsor1000-GPUyears.– Reducedcryptographicstrengthfrom160bitsto77bits.

60

RenegotiationAttacks[RRDO10]

61