Presented at
33C3 (2016),
Dec. 27, 2016, 9:45 p.m.
(60 minutes)
Transport Layer Security (TLS) 1.3 is almost here. The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption. At Cloudflare we will be the first to deploy TLS 1.3 on a wide scale, and we’ll be able to discuss the insights we gained while implementing and deploying this protocol.
Version 1.3 is the latest Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS is the S in HTTPS.
A lot has changed between 1.2 (2008) and 1.3. At the a high level, 1.3 saves a round-trip, making most connections much faster to establish. We'll see how the 1.2 handshake worked, and what had to change to enable 1-RTT handshakes.
But even more importantly, the 1.3 design shifted towards putting robustness first. Anything that is not strictly necessary to the main function of TLS was removed (compression, renegotiation); choices of suboptimal security aren't offered at all (static RSA, CBC, RC4, SHA1, MD5); secure, easy to implement designs are introduced or privileged (RSA-PSS, AEAD implicit nonces, full handshake signatures, Curve25519, resumption forward secrecy). We will go into the why and how of all of these.
But two major trade-offs had to be made: first, 1-RTT handshakes inherently prevent the introduction of encrypted domain names (SNI). We'll see why and what can replace them to provide similar privacy.
Most interestingly, 1.3 comes with 0-RTT resumption. The catch there is that the protocol itself provides no complete protection against replay attacks. We'll unpack the problem, see what mitigations are available, what the risks and attacks are and how that requires careful API design and deployment.
Finally, deployment hasn't been entirely smooth. Many servers out there turned out to be intolerant to 1.3 clients. We'll see what this causes, how it was worked around, and how downgrade protection provides defense in depth.
TLS 1.3 is not in the distant future. The draft is almost finalized, and at Cloudflare we developed an open source stack in Go and support the protocol in beta for all websites. Chrome Canary and Firefox Nightly implement 1.3 clients.
Presenters:
-
Nick Sullivan
Nick Sullivan leads the security engineering team at CloudFlare. He built many of the content security mechanisms for Apple’s multi-billion dollar iTunes store. He previously worked as a security analyst worked at Symantec analyzing large scale threat data.
Nick Sullivan leads the security engineering team at CloudFlare. He built many of the content security mechanisms for Apple’s multi-billion dollar iTunes store. He previously worked as a security analyst worked at Symantec analyzing large scale threat data.
Nick is a hands-on engineering leader, software developer, and security architect with deep expertise in cryptography, computer security, software protection, information security, digital rights management and distributed systems. He is passionate about building and breaking secure systems and moving the state of computer security forward through technological innovation, open source software, writing, and speaking. His security expertise has been cited by news organizations including the New York Times, Wall Street Journal, CNN, Forbes, Bloomberg, Wired, re/code, The Verge, Schneier Blog, CBC, Ars Technica and others.
-
Filippo Valsorda
Filippo Valsorda (@FiloSottile) is a systems and cryptography engineer at Cloudflare, where he's developing the experimental TLS 1.3 stack in Go and he kicked DNSSEC until it became something deployable. Nevertheless, he's probably best known for making popular online vulnerability tests, including the original Heartbleed test.
<h2>Recent presentations</h2>
<ul>
<li>32c3: "The plain simple reality of entropy"</li>
<li>GopherCon: "From cgo back to Go"</li>
<li>HOPE XI: "Stealing Bitcoin with math"</li>
<li>HOPE XI: "The code archive"</li>
<li>HITB2015AMS: "Non-Hidden Hidden Services Considered Harmful: Attacks and Detection"</li>
<li>2014 Hack.lu: "The Heartbleed test adventure"</li>
<li>HITB2014KUL: "Exploiting ECDSA failures in the Bitcoin blockchain"</li>
</ul>
<p>Filippo teaches the closely related training „Breaking Bad Crypto“ on faulty cryptography designs and implementations and how to break them.
It was recently held at the DEF CON 21 and 23 CryptoVillage, 32c3, 31c3 and HITB2015AMS.</p>
<p>Find <a href="https://speakerdeck.com/filosottile">here</a> the slides and links to videos, and <a href="https://blog.filippo.io/hi/">here</a> additional blabbing. The exploit kit is loaded only behind one of these links. Choose wisely.</p>
Links:
Similar Presentations: