Download
1 / 59
660 likes | 759 Views
SSL / TLS – Then and Now. Chuck Milich Joe Dietz Security Engineer Network Security Professional. Disclaimer. This presentation represents our opinions/thoughts and not that of our employers…. Joe Dietz – Network Security Professional aka …just joe….
E N D
SSL / TLS – Then and Now Chuck Milich Joe Dietz Security Engineer Network Security Professional
Disclaimer This presentation represents our opinions/thoughts and not that of our employers…
Joe Dietz – Network Security Professional aka …just joe… A technology focused senior level IT security professional with an excellent balance of business experience and knowledge of systems/network security. Always conducting oneself with integrity and ethical behavior following the motto of “Always, Do the right thing…”. JoeDietzJr@is-s.com (303) 257-8614 cell https://www.linkedin.com/in/joe-dietz-961105/ Disclaimer: This presentation represents my opinions and thoughts and not that of my employer…
Chuck Milich – Security Engineer “I don’t know if you would want Chuck as your CEO, but he does a great job of keeping the lights on.” “Chuck is a network security hub. All security info and connections seem to flow to/from him. He has a fantastic understanding of the industry and is a welcome resource.” - James Small, Principal Architect at AT&T cmilich@protonmail.com (303) 555-1212 home & cell https://www.linkedin.com/in/cmilich/ Disclaimer: This presentation represents my opinions and thoughts and not that of my employer…
Warning: ** No Math Here ** Although Crypto is very math/computational centric, Joe and Chuck are not…
Agenda • SSL/TLS History • Cipher Suite Representation • Cipher Suite Negotiation • Weak Ciphers • TLS SMTP Usage • TLS v1.3 • Testing • How Major Vendors deal with SSL/TLS Intercept
History • SSL – Secure Sockets Layer • v1 - never publicly released because of serious security flaws in the protocol (Netscape) • v2 - released in February 1995, "contained a number of security flaws which ultimately led to the design of SSL version 3.0 (Netscape) • v3 - released in 1996, represented a complete redesign of the protocol (Netscape / RFC 6101 – Historical document) • TLS – Transport Layer Security • v1.0 - January 1999 as an upgrade of SSL Version 3.0 (RFC 2246) • v1.1 - April 2006, enhancements for CBC attacks, initialization vectors (RFC 4346) • v1.2 - August 2008, enhancements MD5-SHA1 SHA-256, add AES (RFC 5246) • v1.3 - As of August 2018, TLS 1.3 is a approved RFC (RFC 8446) https://en.wikipedia.org/wiki/Transport_Layer_Security
TLS v1.2 – “The Then..” How we got here https://datatracker.ietf.org/doc/rfc5246/
TLS v1.3 – “The Now…” https://datatracker.ietf.org/doc/rfc8446/
Speed Benefits of TLS v1.3 https://kinsta.com/blog/tls-1-3/#speed-tls-1.3
Cipher Suites – TLS v1.2 (aka Pre TLS v1.3) A Cipher suite is a concept used in Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol. Before TLS version 1.3, a cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings. The format of cipher suites is modified with TLS 1.3. In the TLS 1.3 RFC document, cipher suites are only used to negotiate encryption and hash message authentication (HMAC) algorithms. Sample: TLS_EDHE_ECDSA_WITH_AES_128GCM_SHA256 https://en.wikipedia.org/wiki/Cipher_suite
Decoding TLS v1.2 Cipher Suite • TLS v1.2 supports 37 cipher suites. • Add previous versions in: 319 total cipher suites.
Weak Cipher Suites (OWASP – TLS 1.2) • Testing for Weak SSL/TLS Ciphers/Protocols/Keys vulnerabilities • The large number of available cipher suites and quick progress in cryptanalysis makes testing an SSL server a non-trivial task. • At the time of writing these criteria are widely recognized as minimum checklist: • Weak ciphers must not be used (e.g. less than 128 bits ; no NULL ciphers suite, due to no encryption used; no Anonymous Diffie-Hellmann, due to not provides authentication). • Weak protocols must be disabled (e.g. SSLv2 must be disabled, due to known weaknesses in protocol design) • Renegotiation must be properly configured (e.g. Insecure Renegotiation must be disabled, due to MiTM attacks and Client-initiated renegotiation must be disabled, due to Denial of Service vulnerability) • No Export (EXP) level cipher suites, due to can be easily broken • X.509 certificates key length must be strong (e.g. if RSA or DSA is used the key must be at least 1024 bits). • X.509 certificates must be signed only with secure hashing algorithms (e.g. not signed using MD5 hash, due to known collision attacks on this hash). • Keys must be generated with proper entropy (e.g, Weak Key Generated with Debian) • A more complete checklist includes: • Secure Renegotiation should be enabled. • MD5 should not be used, due to known collision attacks • RC4 should not be used, due to crypto-analytical attacks • Server should be protected from BEAST Attack • Server should be protected from CRIME attack, TLS compression must be disabled • Server should support Forward Secrecy • https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_%28OTG-CRYPST-001%29#Weak_SSL.2FTLS_Ciphers.2FProtocols.2FKeys
TLS v1.2 Handshake – SMTP http://www.checktls.com/live/index.html
TLS v1.3 • It has been nearly ten years since the last encryption protocol update • New TLS 1.3 RFC finalized as of August 2018 • TLS 1.3 includes many security and performance improvements • With the HTTP/2 protocol update in late 2015, HTTP/3 (QUIC) in progress, and TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever.
Differences with TLS1.2 and below • There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for native TLSv1.3 connections. • The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration. • Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration. • Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code. • More of the handshake is now encrypted. • Renegotiation is not possible in a TLSv1.3 connection • More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency) • DSA certificates are no longer allowed in TLSv1.3 connections
Improved Security With TLS 1.3 A big problem with TLS 1.2 is that it’s often not configured properly and it leaves websites vulnerable to attacks. TLS 1.3 now removes obsolete and insecure features from TLS 1.2, including the following: SHA-1 RC4 DES 3DES AES-CBC MD5 Arbitrary Diffie-Hellman groups — CVE-2016-0701 EXPORT-strength ciphers – Responsible for FREAK and LogJam Because the protocol is in a sense more simplified, this make it less likely for administrators and developers to misconfigure the protocol.
Features Removed from TLS 1.3 • Static RSA handshake • CBC Encryption modes • RC4 • SHA1, MD5 • Compression • Renegotiation
Features Added to TLS 1.3 • Full handshake signature • Downgrade protection • Abbreviated resumption with optional (EC)DHE • Elliptic Curve 25519 and 448 https://en.wikipedia.org/wiki/Elliptic-curve_cryptography https://en.wikipedia.org/wiki/Curve25519
TLS v1.3 Ciphersuites • TLS v1.3 supports 5 Cipher Suites.
TLS v1.3 Ciphersuites • OpenSSL has implemented support for five TLSv1.3 ciphersuites: • TLS13-AES-256-GCM-SHA384 • TLS13-CHACHA20-POLY1305-SHA256 • TLS13-AES-128-GCM-SHA256 • TLS13-AES-128-CCM-8-SHA256 • TLS13-AES-128-CCM-SHA256 • The first three are in the DEFAULT ciphersuite group. This means that if you have no explicit ciphersuite configuration then you will automatically use those three and will be able to negotiate TLSv1.3. • If you explicitly configure your ciphersuites then care should be taken to ensure that you are not inadvertently excluding all TLSv1.3 compatible ciphersuites. If a client has TLSv1.3 enabled but no TLSv1.3 ciphersuites configured then it will immediately fail. • DSA certificates are no longer allowed in TLSv1.3. If your server application is using a DSA certificate then TLSv1.3 connections will fail with an error message. Please use an ECDSA or RSA certificate instead.
Testing – Minimum Checklist (OWASP) • Prohibited: • SSLv2, due to known weaknesses in protocol design • SSLv3, due to known weaknesses in protocol design • Compression, due to known weaknesses in protocol design • Cipher suites with symmetric encryption algorithm smaller than 112 bits • X.509 certificates with RSA key smaller than 2048 bits • X.509 certificates with DSA key smaller than 2048 bits • X.509 certificates signed using MD5 hash, due to known collision attacks on this hash • TLS Renegotiation vulnerability • SSL Server Rating Guide - https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide • https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
Testing Tools - Internal • Nmap - https://nmap.org/ • openssl – for hardcore cli types – many options, many details • testssl.sh - https://testssl.sh/ • sslscan – https://github.com/rbsec/sslscan • htrace - https://github.com/trimstray/htrace.sh • mixed-content-scan - https://github.com/bramus/mixed-content-scan • Vulnerability Scanners (many vendors) • … • (send us your favorites)
Testing Tools – Internal - Nmap # nmap -p 443 --script=ssl-enum-ciphers colorado-security.com Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-02 15:03 MST NSE: [ssl-enum-ciphers] OpenSSL not available; some cipher scores will be marked as unknown. Nmap scan report for colorado-security.com (198.185.159.145) Host is up (0.083s latency). Other addresses for colorado-security.com (not scanned): 198.49.23.144 198.185.159.144 198.49.23.145 PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 - unknown | TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown | TLS_RSA_WITH_AES_128_CBC_SHA256 - unknown | TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown | TLS_RSA_WITH_AES_128_CBC_SHA - unknown | TLS_RSA_WITH_AES_256_CBC_SHA - unknown | compressors: | NULL | cipher preference: server |_ least strength: unknown Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds
Testing Tools – Internal – openssl $openssls_client -connect colorado-security.com:443 -tls1_3 s_client: Option unknown option -tls1_3 s_client: Use -help for summary. $openssls_client -connect colorado-security.com:443 -tls1_2 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = US, ST = New York, L = New York, O = "Squarespace, Inc.", OU = Web Services, CN = *.squarespace.com verify return:1 --- Certificate chain 0 s:/C=US/ST=New York/L=New York/O=Squarespace, Inc./OU=Web Services/CN=*.squarespace.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFejCCBGKgAwIBAgIQBUpKfYzsog4DuElCjSE7tTANBgkqhkiG9w0BAQsFADBw MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz dXJhbmNlIFNlcnZlciBDQTAeFw0xNzA1MzEwMDAwMDBaFw0xOTA3MDMxMjAwMDBa MIGCMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5l dyBZb3JrMRowGAYDVQQKExFTcXVhcmVzcGFjZSwgSW5jLjEVMBMGA1UECxMMV2Vi IFNlcnZpY2VzMRowGAYDVQQDDBEqLnNxdWFyZXNwYWNlLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBALtMtUSk+rPA3WD34CC5kr7VbR49UqvMIIgK kdQv1+QjqdUZqNpDJ/+YLLtlSum70G/frs622HQRMPGn/y/IRC3ddDMFqhr+FcVH 9IsH+8mngJ3VNCylafrpQnNfBha4fGVeb7GddaZh2rD5qv4gCFHz1d9CboFCDU3e x496FxWfZKdjID4U+Bw/opozTC7Tjw1CyadST0tnKHv/zWxoFDlQkHy8y2mOApry zWA3yhWlMQCY+a5yfawZbtF0AQ5D5PJ5yQH3wZOHZfvMOM9ksVE5bpbcBc7tV6Hy LHmOztCpFp2IzaaDl/R/2q1/b2coQfMk2+pWmQnRckWcrCGilhsCAwEAAaOCAfsw ggH3MB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBRm APzcXakFaMT3ekVb8LByufbh5jAtBgNVHREEJjAkghEqLnNxdWFyZXNwYWNlLmNv bYIPc3F1YXJlc3BhY2UuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr <truncated>
Testing Tools – Internal – testssl.sh /opt/testssl.sh/testssl.sh-3.0rc3$ ./testssl.sh colorado-security.com ########################################################### testssl.sh 3.0rc3 from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers] :./bin/openssl.Linux.x86_64 (built: "Jun 22 19:32:29 2016", platform: "linux-x86_64") Testing all IPv4 addresses (port 443): 198.185.159.144 198.49.23.144 198.185.159 .145 198.49.23.145 ----------------------------------------------------- Start 2019-02-04 15:23:12 -->> 198.185.159.144:443 (colorado-security.com) <<-- Further IP addresses: 198.49.23.144 198.185.159.145 198.49.23.145 rDNS (198.185.159.144): -- Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 h2, http/1.1 (offered) <truncated>
Testing Tools – External (Internet exposed) • All of the internal tools plus: • Qualys SSL Labs - https://www.ssllabs.com/index.html • TLS - http://www.checktls.com/ • https://cryptoreport.websecurity.symantec.com/checker/ • https://observatory.mozilla.org/ • Certificate Specific - https://crt.sh • https://www.hardenize.com/ • https://geekflare.com/ssl-test-certificate/ - Even more • … • (send us your favorites)
How Major Vendors deal with SSL/TLS • F5 • ExtraHop • Firewall Palo Alto • FireEye • Cisco • Symantec
PFS – Perfect Forward Secrecy PFS RSA
