1
Transport Layer Security (TLS) &
Secure Socket Layer (SSL)
Network Security Workshop
22
What is TLS/SSL
• Secure Socket Layer (SSL) originally developed at
Netscape to enable ecommerce transaction security on the
Web
• Transport Layer Security (TLS) replaces SSL
– A widely adopted security protocol designed to facilitate privacy and
data security for communications over the Internet.
• Overall goal of SSL/TLS is to protect the privacy and
integrity of communications between two end points.
https://hpbn.co/transport-layer-security-tls/
33
What is TLS/SSL• Validated using Public Key Cryptography
– Trusted Certificate Authority
– Public Key Infrastructure (PKI) with certificate revocation
• Perfect Forward Secrecy (PFS)– Ensures that previous communications cannot be decrypted if Private
Key is compromised– Not always implemented but should be!
• Client / Server Applications– HTTPS– IMAP– SMTP
– FTPS
https://hpbn.co/transport-layer-security-tls/
4
TLS Protocol
Encrypted TLS data [HTTP]
Transport (TCP)
Internet
Network Access
Application (HTTP)
55
TLS Protocol
https://datatracker.ietf.org/doc/html/rfc2246
66
TLS Protocol
https://datatracker.ietf.org/doc/html/rfc2246
https://learning.oreilly.com/library/view/packet-analysis-with/9781785887819/ch04.html
77
TLS/SSL Versions
https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html
88
TLS Versions• TLS Version 1.0 released in 1999
– Upgrade to SSL Version 3.0
– SSL Fallback mechanism
– RFC 2246
• TLS Version 1.1 released in April, 2006– Protection against Cipher Block Chaining (CBC) attacks
• TLS Version 1.2 released in August, 2008– RFC 5246
– Added cipher-suite-specified pseudorandom functions
– Added AES cipher suites
– Removed IDEA & DES cipher suites
http://itenwired.com/wp-content/uploads/2019/11/Jim-Nitterauer-Decrypting-the-Mess-that-is-
SSL-TLS-Negotiation-Preparing-for-the-2020-Apocalypse.pptx
99
TLS Versions
• TLS Version 1.3 released in August, 2018
– RFC 8446
– Removes SHA-1, MD5, RC4, DES & 3DES ciphers
– Server Name Indication (SNI) encryption & single round trip
http://itenwired.com/wp-content/uploads/2019/11/Jim-Nitterauer-Decrypting-the-Mess-that-is-
SSL-TLS-Negotiation-Preparing-for-the-2020-Apocalypse.pptx
1010
TLS: What it does
• Confidentiality
– Encryption
• Integrity
– Keyed hash (HMAC): TLS (authentication!)
– Hash (MAC): SSL
• Authentication
– certificates
1111
TLS Operations
• Client connects to the server
– To access a resource
• Public-key cryptography during initial handshake to
authenticate and exchange session keys
– PKI (X.509 Certificates)
• Symmetric key cryptography to encrypt and hash data
– Master secret (shared secret) generated
– Separate Encryption and Hashing keys from the master secret
12
Demo: Connect to HTTPShttps://wiki.apnictraining.net/
1313
Connect to HTTPS
https://datatracker.ietf.org/doc/html/rfc2246
1414
SSL/ TLS Negotiation Process• The Handshake
– Applies to every SSL/TLS connection
– Determines cipher suite to be used
– Determines protocol version to be used
– Requires asymmetric cryptography • Public Key via validated certificate
• Private Key known only to server
– Typically only basic or one-way authentication
– Some servers may require two-way authentication• This requires two asymmetric negotiations
• Might be seen in transactions like funds transfers where both ends must be known
– Requires 3 round trip communications
1515
How TLS Works – Part 1
Master Secret (shared)
• Encryption key
• Hashing key
Encrypted data
PKI
1616
Symmetric Encryption• Once the server’s public key is verified up the chain of trust
– Client generates a pre-master secret (C-random & S-random)
– Sends to the server encrypted (with server’s public key)
• Both client and server generates the Master Secret– Uses the pre-master secret, C-random, and S-random with the agreed
key exchange cipher (eg: DH)
• Separate Encryption and Hashing keys generated from the Master secret– All future communication hashed and encrypted using the symmetric
keys
1717
How TLS Works – Part 2
Master Secret (shared)
• Encryption key
• Hashing key
Encrypted data
Symmetric
Encryption
1818
SSL/ TLS Negotiation Process
• Data Transfer
– Agree on a Master session key
– Use of the negotiated key for encrypting and decrypting traffic
– This is called the Record layer
1919
PKI – public key infra
• Digital (X.509) certificates
– associates a public key with an individual or organizationVERSION
SERIAL NUMBER
SIGNATURE ALGORITHM
ISSUER NAME
VALIDITY PERIOD
SUBJECT NAME
SUBJECT PUBLIC KEY
EXTENSIONS (ISSUER KEY ID)
EXTENSIONS (SUBJECT KEY
ID)
EXTENSIONS (CRL)
CA DIGITAL SIGNATURE
Version of X.509
Uniquely identifies the certificate
Algorithms used by the CA to sign the cert
Id of the CA (that issued the cert)
Cert validity
Entity associated with the public key
Owner’s public key
Identify the pub key of issuer of the cert
Extra info (owner of the cert)
Extensions (CRL)
Certifies the binding – sings pub key of subject
https://datatracker.ietf.org/doc/html/rfc5280
2020
PKI – Chain of Trust
• Root Certificate Authority (CA)
– Self-signed
– Issue and sign ICA’s certificate
• Intermediate CA
– Issue and sign EE certificate
• End Entity
Root CA
ICA ICA
EE EE EE EE
https://en.wikipedia.org/wiki/Public_key_certificate
2121
PKI – Example• Client (browser) sends https request to
google.com– browsers have trusted CA certificates stored
• Web server sends back google.com’scertificate– Signed by Google ICA, plus– Google ICA’s certificate signed by root CA
(GeoTrust)
• Verify the certificates up the chain of trust– Once successfully verified, use the public key
Root CA Cert
Signature (self-
signed)
google.com
CertSignature (signed
by ICA)
ICA Cert
Signature (signed
by root)
2222
X.509 certificate formats and extensions• Base64 (ASCII)
– PEM (Privacy-enhanced Electronic Mail) • .pem
• .crt
• .ca-bundle
– PKCS#7 (Public Key Cryptography Standards)• .p7b
• .p7s
• Binary – DER (Distinguished Encoding Rules)
• .der
• .cer
– PKCS#12• .pfx
• .p12
https://www.ssls.com/knowledgebase/what-are-certificate-formats-and-what-is-the-difference-between-them/
https://www.tutorialsteacher.com/https/ssl-certificate-format
2323
PKI certificate file extensions• Four different ways to present certificates and their components:
– PEM - Governed by RFCs, used preferentially by open-source software because it is text-based and therefore less prone to translation/transmission errors. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
– PKCS7 - An open standard used by Java and supported by Windows. Does not contain private key material.
– PKCS12 - A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. This can contain private key and certificate chain material. Its used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
– DER - The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used very much outside of Windows.
https://en.wikipedia.org/wiki/X.509
24
Demo: Review TLS pcaphttps://www.cloudshark.org/captures/64d433b1585a
2525
Trusted vs Non-trusted Certificate
26
Demo: BadSSLhttps://badssl.com
2727
Certificate Authority
28
QuoVadis Global SSL ICA G3
https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html
2929
WoSign
https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
30
Demo: PKI using OpenSSL
https://www.globalsign.com/en/blog/information-security-its-easy-p-k-I
1.Alice and Bob create their own private and public keys.2.Bob sends Alice his public key.3.Alice encrypts the message using Bob’s public key and sends it to Bob.4.Bob decrypts Alice’s message using his private key.
3131
Introducing Let’s Encrypt
• An open source CA
– Proof your domain to get your digital (TLS/SSL) certificate
– https://letsencrypt.org
3232
Let’s Encrypt chain
• Let’s Encrypt ICA (X3) cross-signed by DST (IdenTrust)
– Until ISRG (Internet Security Research Group) is trusted by everyone
https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html
3333
Introducing Let’s Encrypt
• Browsers and OS• https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-
lets-encrypt/4394
• Check your browser
– https://wiki.apnictraining.net
• (signed by Let’s Encrypt)
3434
Known Attacks on TLS/SSL
https://www.feistyduck.com/ssl-tls-and-pki-history/
3636
BEAST (CVE-2011-3389)
• Browser Exploit Against SSL/TLS (BEAST)
– Affects TLS 1.0 and older
https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html
3737
CRIME (CVE-2012-4929)
• Compression Ratio Info-leak Made Easy (CRIME)
https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929
3838
BREACH (CVE-2013-3587)
• Browser Reconnaissance and Exfiltration via Adaptive
Compression of Hypertext (BREACH)
• Vulnerability exploits website that:
– Hosted on a server that uses HTTP-level compression
– Reflect user-input in HTTP response bodies
– Reflect a secret (such as a Cross-site request forgery token) in HTTP
response bodies
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3587
39
Heartbleed (CVE-2014-0160)
https://xkcd.com/1354/https://heartbleed.com
4040
Heartbleed (CVE-2014-0160)
4141
Heartbleed (CVE-2014-0160)
4242
Poodle (CVE-2014-3566)
• A combination of MiTM and downgrade attack
• Exploits the SSL 3.0 vulnerability in the Cipher Block
Chaining (CBC) mode
https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
4343
Poodle variants
• Zombie POODLE attacks encrypted Web and VPN
sessions
• GOLDENDOODLE a faster more powerful crypto-hack of
POODLE
https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6593
4444
Freak (CVE-2015-0204)
• FREAK (“Factoring RSA Export Keys”)
• MiTM attack during the pre-master-secret negotiation
• Force the use of ‘export-grade’ cryptography
https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
4545
Logjam (CVE-2015-4000)
• MiTM attack to downgrade ciphers
• Similar to the FREAK attack
• Attacks the Diffie-Hellman (DH) key exchange
• For more detail - https://weakdh.org
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4000
4646
DROWN (CVE-2016-0800)
• allows an attacker to decrypt one connection at a time
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0800
https://drownattack.com
4747
Sweet32 (CVE-2016-2183)
• affects the block cipher triple-DES
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2183
https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html
4848
Bleichenbacher attack (CVE-2017-6168)
• enable an adaptive-chosen ciphertext attack that fully
breaks the confidentiality of TLS
• also named “million message attack”
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6168
https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html
4949
CurveBall (CVE-2020-0601)
• Windows CryptoAPI Spoofing Vulnerability
• only affects Elliptic Curve certificates. RSA type CA
certificates are unaffected.
• vulnerability in which the signature of certificates using
elliptic curve cryptography (ECC) is not correctly verified.
• Need to know Elliptic Curve cryptology to create a fake CA
certificate (beyond the scope of this talk)
https://www.securityinsider-wavestone.com/2020/01/cve-2020-0601-curveball-breaking-trust.html
50
More details
https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL
51
Demo: Shodan.iossl.version:sslv2 HTTP -ssl.version:sslv3,tlsv1,tlsv1.1,tlsv1.2,tlsv1.3
https://beta.shodan.io/search/facet?query=https&facet=vuln.verified
https://www.shodan.io/search/report?query=ssl.version%3Asslv2+HTTP+-ssl.version%3Asslv3%2Ctlsv1%2Ctlsv1.1%2Ctlsv1.2%2Ctlsv1.3
5252
TLS 1.0 and 1.1 Deprecation• March 2021 RFC 8996 formally deprecates Transport Layer
Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346)– https://datatracker.ietf.org/doc/html/rfc8996
• By March 2020, most of the large providers (Google, Microsoft, Mozilla, Cisco) have deprecated these old TLS versions.
• Recommended to use TLS 1.2– Some older clients may not support
53
TLS 1.0 and 1.1 Deprecation
https://blog.shodan.io/understanding-security-by-country-ssl/
54
TLS 1.0 and 1.1 Deprecation
https://beta.shodan.io/search/facet?query=http&facet=ssl.version
55
TLS 1.0 and 1.1 Deprecation
https://beta.shodan.io/search/facet?query=ssl.version%3Atlsv1&facet=vuln.verified
56
How to check Web server support?
https://www.ssllabs.com/ssltest/analyze.html?d=wiki.apnictraining.net
57
How to check your browser support?
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
5858
Cipher Suites
• A cipher suite is a set of information that helps determine
how you will communicate secure data over TLS.
https://youtu.be/XwrfZLKsuhE
5959
Cipher Suites
• A cipher suite is a set of information that helps determine
how you will communicate secure data over TLS.
– ECDHE is the key exchange algorithm
– RSA is the authentication algorithm
– AES256-GCM is the bulk encryption algorithm
– SHA384 is the message authentication code (MAC) algorithm
https://www.mybluelinux.com/most-secure-ssl/tls-configuration-for-apache-nginx-postfix-dovecot-haproxy-and-other/
6060
Configuration Generator
https://ssl-config.mozilla.org
61
62
62