Transport Layer Security (TLS) & Secure Socket Layer (SSL)

1

Transport Layer Security (TLS) &

Secure Socket Layer (SSL)

Network Security Workshop

22

What is TLS/SSL

• Secure Socket Layer (SSL) originally developed at

Netscape to enable ecommerce transaction security on the

Web

• Transport Layer Security (TLS) replaces SSL

– A widely adopted security protocol designed to facilitate privacy and

data security for communications over the Internet.

• Overall goal of SSL/TLS is to protect the privacy and

integrity of communications between two end points.

https://hpbn.co/transport-layer-security-tls/

33

What is TLS/SSL• Validated using Public Key Cryptography

– Trusted Certificate Authority

– Public Key Infrastructure (PKI) with certificate revocation

• Perfect Forward Secrecy (PFS)– Ensures that previous communications cannot be decrypted if Private

Key is compromised– Not always implemented but should be!

• Client / Server Applications– HTTPS– IMAP– SMTP

– FTPS

https://hpbn.co/transport-layer-security-tls/

4

TLS Protocol

Encrypted TLS data [HTTP]

Transport (TCP)

Internet

Network Access

Application (HTTP)

55

TLS Protocol

https://datatracker.ietf.org/doc/html/rfc2246

66

TLS Protocol

https://datatracker.ietf.org/doc/html/rfc2246

https://learning.oreilly.com/library/view/packet-analysis-with/9781785887819/ch04.html

77

TLS/SSL Versions

https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html

88

TLS Versions• TLS Version 1.0 released in 1999

– Upgrade to SSL Version 3.0

– SSL Fallback mechanism

– RFC 2246

• TLS Version 1.1 released in April, 2006– Protection against Cipher Block Chaining (CBC) attacks

• TLS Version 1.2 released in August, 2008– RFC 5246

– Added cipher-suite-specified pseudorandom functions

– Added AES cipher suites

– Removed IDEA & DES cipher suites

http://itenwired.com/wp-content/uploads/2019/11/Jim-Nitterauer-Decrypting-the-Mess-that-is-

SSL-TLS-Negotiation-Preparing-for-the-2020-Apocalypse.pptx

99

TLS Versions

• TLS Version 1.3 released in August, 2018

– RFC 8446

– Removes SHA-1, MD5, RC4, DES & 3DES ciphers

– Server Name Indication (SNI) encryption & single round trip

http://itenwired.com/wp-content/uploads/2019/11/Jim-Nitterauer-Decrypting-the-Mess-that-is-

SSL-TLS-Negotiation-Preparing-for-the-2020-Apocalypse.pptx

1010

TLS: What it does

• Confidentiality

– Encryption

• Integrity

– Keyed hash (HMAC): TLS (authentication!)

– Hash (MAC): SSL

• Authentication

– certificates

1111

TLS Operations

• Client connects to the server

– To access a resource

• Public-key cryptography during initial handshake to

authenticate and exchange session keys

– PKI (X.509 Certificates)

• Symmetric key cryptography to encrypt and hash data

– Master secret (shared secret) generated

– Separate Encryption and Hashing keys from the master secret

12

Demo: Connect to HTTPShttps://wiki.apnictraining.net/

1313

Connect to HTTPS

https://datatracker.ietf.org/doc/html/rfc2246

1414

SSL/ TLS Negotiation Process• The Handshake

– Applies to every SSL/TLS connection

– Determines cipher suite to be used

– Determines protocol version to be used

– Requires asymmetric cryptography • Public Key via validated certificate

• Private Key known only to server

– Typically only basic or one-way authentication

– Some servers may require two-way authentication• This requires two asymmetric negotiations

• Might be seen in transactions like funds transfers where both ends must be known

– Requires 3 round trip communications

1515

How TLS Works – Part 1

Master Secret (shared)

• Encryption key

• Hashing key

Encrypted data

PKI

1616

Symmetric Encryption• Once the server’s public key is verified up the chain of trust

– Client generates a pre-master secret (C-random & S-random)

– Sends to the server encrypted (with server’s public key)

• Both client and server generates the Master Secret– Uses the pre-master secret, C-random, and S-random with the agreed

key exchange cipher (eg: DH)

• Separate Encryption and Hashing keys generated from the Master secret– All future communication hashed and encrypted using the symmetric

keys

1717

How TLS Works – Part 2

Master Secret (shared)

• Encryption key

• Hashing key

Encrypted data

Symmetric

Encryption

1818

SSL/ TLS Negotiation Process

• Data Transfer

– Agree on a Master session key

– Use of the negotiated key for encrypting and decrypting traffic

– This is called the Record layer

1919

PKI – public key infra

• Digital (X.509) certificates

– associates a public key with an individual or organizationVERSION

SERIAL NUMBER

SIGNATURE ALGORITHM

ISSUER NAME

VALIDITY PERIOD

SUBJECT NAME

SUBJECT PUBLIC KEY

EXTENSIONS (ISSUER KEY ID)

EXTENSIONS (SUBJECT KEY

ID)

EXTENSIONS (CRL)

CA DIGITAL SIGNATURE

Version of X.509

Uniquely identifies the certificate

Algorithms used by the CA to sign the cert

Id of the CA (that issued the cert)

Cert validity

Entity associated with the public key

Owner’s public key

Identify the pub key of issuer of the cert

Extra info (owner of the cert)

Extensions (CRL)

Certifies the binding – sings pub key of subject

https://datatracker.ietf.org/doc/html/rfc5280

2020

PKI – Chain of Trust

• Root Certificate Authority (CA)

– Self-signed

– Issue and sign ICA’s certificate

• Intermediate CA

– Issue and sign EE certificate

• End Entity

Root CA

ICA ICA

EE EE EE EE

https://en.wikipedia.org/wiki/Public_key_certificate

2121

PKI – Example• Client (browser) sends https request to

google.com– browsers have trusted CA certificates stored

• Web server sends back google.com’scertificate– Signed by Google ICA, plus– Google ICA’s certificate signed by root CA

(GeoTrust)

• Verify the certificates up the chain of trust– Once successfully verified, use the public key

Root CA Cert

Signature (self-

signed)

google.com

CertSignature (signed

by ICA)

ICA Cert

Signature (signed

by root)

2222

X.509 certificate formats and extensions• Base64 (ASCII)

– PEM (Privacy-enhanced Electronic Mail) • .pem

• .crt

• .ca-bundle

– PKCS#7 (Public Key Cryptography Standards)• .p7b

• .p7s

• Binary – DER (Distinguished Encoding Rules)

• .der

• .cer

– PKCS#12• .pfx

• .p12

https://www.ssls.com/knowledgebase/what-are-certificate-formats-and-what-is-the-difference-between-them/

https://www.tutorialsteacher.com/https/ssl-certificate-format

2323

PKI certificate file extensions• Four different ways to present certificates and their components:

– PEM - Governed by RFCs, used preferentially by open-source software because it is text-based and therefore less prone to translation/transmission errors. It can have a variety of extensions (.pem, .key, .cer, .cert, more)

– PKCS7 - An open standard used by Java and supported by Windows. Does not contain private key material.

– PKCS12 - A Microsoft private standard that was later defined in an RFC that provides enhanced security versus the plain-text PEM format. This can contain private key and certificate chain material. Its used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.

– DER - The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used very much outside of Windows.

https://en.wikipedia.org/wiki/X.509

24

Demo: Review TLS pcaphttps://www.cloudshark.org/captures/64d433b1585a

2525

Trusted vs Non-trusted Certificate

26

Demo: BadSSLhttps://badssl.com

2727

Certificate Authority

28

QuoVadis Global SSL ICA G3

https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html

2929

WoSign

https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion

30

Demo: PKI using OpenSSL

https://www.globalsign.com/en/blog/information-security-its-easy-p-k-I

1.Alice and Bob create their own private and public keys.2.Bob sends Alice his public key.3.Alice encrypts the message using Bob’s public key and sends it to Bob.4.Bob decrypts Alice’s message using his private key.

3131

Introducing Let’s Encrypt

• An open source CA

– Proof your domain to get your digital (TLS/SSL) certificate

– https://letsencrypt.org

3232

Let’s Encrypt chain

• Let’s Encrypt ICA (X3) cross-signed by DST (IdenTrust)

– Until ISRG (Internet Security Research Group) is trusted by everyone

https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

3333

Introducing Let’s Encrypt

• Browsers and OS• https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-

lets-encrypt/4394

• Check your browser

– https://wiki.apnictraining.net

• (signed by Let’s Encrypt)

3434

Known Attacks on TLS/SSL

https://www.feistyduck.com/ssl-tls-and-pki-history/

3636

BEAST (CVE-2011-3389)

• Browser Exploit Against SSL/TLS (BEAST)

– Affects TLS 1.0 and older

https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html

3737

CRIME (CVE-2012-4929)

• Compression Ratio Info-leak Made Easy (CRIME)

https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929

3838

BREACH (CVE-2013-3587)

• Browser Reconnaissance and Exfiltration via Adaptive

Compression of Hypertext (BREACH)

• Vulnerability exploits website that:

– Hosted on a server that uses HTTP-level compression

– Reflect user-input in HTTP response bodies

– Reflect a secret (such as a Cross-site request forgery token) in HTTP

response bodies

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3587

39

Heartbleed (CVE-2014-0160)

https://xkcd.com/1354/https://heartbleed.com

4040

Heartbleed (CVE-2014-0160)

4141

Heartbleed (CVE-2014-0160)

4242

Poodle (CVE-2014-3566)

• A combination of MiTM and downgrade attack

• Exploits the SSL 3.0 vulnerability in the Cipher Block

Chaining (CBC) mode

https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

4343

Poodle variants

• Zombie POODLE attacks encrypted Web and VPN

sessions

• GOLDENDOODLE a faster more powerful crypto-hack of

POODLE

https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6593

4444

Freak (CVE-2015-0204)

• FREAK (“Factoring RSA Export Keys”)

• MiTM attack during the pre-master-secret negotiation

• Force the use of ‘export-grade’ cryptography

https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

4545

Logjam (CVE-2015-4000)

• MiTM attack to downgrade ciphers

• Similar to the FREAK attack

• Attacks the Diffie-Hellman (DH) key exchange

• For more detail - https://weakdh.org

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4000

4646

DROWN (CVE-2016-0800)

• allows an attacker to decrypt one connection at a time

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0800

https://drownattack.com

4747

Sweet32 (CVE-2016-2183)

• affects the block cipher triple-DES

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2183

https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html

4848

Bleichenbacher attack (CVE-2017-6168)

• enable an adaptive-chosen ciphertext attack that fully

breaks the confidentiality of TLS

• also named “million message attack”

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6168

https://beaglesecurity.com/blog/article/importance-of-tls-1-3-ssl-and-tls-vulnerabilities.html

4949

CurveBall (CVE-2020-0601)

• Windows CryptoAPI Spoofing Vulnerability

• only affects Elliptic Curve certificates. RSA type CA

certificates are unaffected.

• vulnerability in which the signature of certificates using

elliptic curve cryptography (ECC) is not correctly verified.

• Need to know Elliptic Curve cryptology to create a fake CA

certificate (beyond the scope of this talk)

https://www.securityinsider-wavestone.com/2020/01/cve-2020-0601-curveball-breaking-trust.html

50

More details

https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL

51

Demo: Shodan.iossl.version:sslv2 HTTP -ssl.version:sslv3,tlsv1,tlsv1.1,tlsv1.2,tlsv1.3

https://beta.shodan.io/search/facet?query=https&facet=vuln.verified

https://www.shodan.io/search/report?query=ssl.version%3Asslv2+HTTP+-ssl.version%3Asslv3%2Ctlsv1%2Ctlsv1.1%2Ctlsv1.2%2Ctlsv1.3

5252

TLS 1.0 and 1.1 Deprecation• March 2021 RFC 8996 formally deprecates Transport Layer

Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346)– https://datatracker.ietf.org/doc/html/rfc8996

• By March 2020, most of the large providers (Google, Microsoft, Mozilla, Cisco) have deprecated these old TLS versions.

• Recommended to use TLS 1.2– Some older clients may not support

53

TLS 1.0 and 1.1 Deprecation

https://blog.shodan.io/understanding-security-by-country-ssl/

54

TLS 1.0 and 1.1 Deprecation

https://beta.shodan.io/search/facet?query=http&facet=ssl.version

55

TLS 1.0 and 1.1 Deprecation

https://beta.shodan.io/search/facet?query=ssl.version%3Atlsv1&facet=vuln.verified

56

How to check Web server support?

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.apnictraining.net

57

How to check your browser support?

https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

5858

Cipher Suites

• A cipher suite is a set of information that helps determine

how you will communicate secure data over TLS.

https://youtu.be/XwrfZLKsuhE

5959

Cipher Suites

• A cipher suite is a set of information that helps determine

how you will communicate secure data over TLS.

– ECDHE is the key exchange algorithm

– RSA is the authentication algorithm

– AES256-GCM is the bulk encryption algorithm

– SHA384 is the message authentication code (MAC) algorithm

https://www.mybluelinux.com/most-secure-ssl/tls-configuration-for-apache-nginx-postfix-dovecot-haproxy-and-other/

6060

Configuration Generator

https://ssl-config.mozilla.org

61

62

62