It’s Time to Replace SSL/TLS Karen P. Lewison, MD – CEO kplewison@pomcor.com Francisco Corella, PhD – CTO fcorella@pomcor.com 5/29/2014 -- Updated 5/31 to add link to white paper 1 Outline • Brief history and usage of SSL, TLS and DTLS • The core of the protocols • Shortcomings – Usability shortcomings: • Latency and bandwidth consumption of handshake – Privacy shortcomings: • Related to client authentication – Security shortcomings • Long history of vulnerabilities, some not yet addressed • It’s time for a replacement • Ingredients for a replacement • The formal verification challenge 5/29/2014 -- Updated 5/31 to add link to white paper 2 Brief history of SSL, TLS and DTLS • The Web (1990, Tim Berners Lee at CERN) – Document sharing – HTTP over TCP, no security • SSL (Secure Sockets Layer, 1995, Netscape) – https: HTTP over SSL over TCP – Encryption of credit card numbers => ecommerce – Encryption of passwords • TLS (SSL taken over by IETF, 1999) – TLS 1.0: January 1999 – TLS 1.1: April 2006 – TLS 1.2: August 2008 • DTLS (for use over UDP, 2006) 5/29/2014 -- Updated 5/31 to add link to white paper 3 Usage • TLS is the most widely used network security protocol • Primary use: web security (https) • Also used to protect email – Server-to-client download: POP3, IMAP – Server-to-server transmission SMTP – NOT used for end-to-end encryption of email (S/MIME or PGP) • Used to provide underlying security for many other IETF protocols: ACAP, COPS, FTP, NET-CONF, NNTP, SDP, SNMP • Often used instead of IPsec to create VPNs • DTLS used to protect the Session Initiation Protocol (SIP) for voice and video calls (VoIP) 5/29/2014 -- Updated 5/31 to add link to white paper 4 The protocol: two phases • Handshake: – Server authentication, optional but almost always used – Establishment of shared keys for traffic protection – Optional client authentication, rarely used except for • Authentication of federal employees with PIV/CAC cards • Traffic protection: – Traffic in each direction (client to server, server to client) is fragmented into records – Each record is authenticated by a MAC, and encrypted – 4 symmetric keys: 1 for authentication and 1 for encryption, in each direction 5/29/2014 -- Updated 5/31 to add link to white paper 5 Client Handshake using key transport Server Client random Server random, RSA public key certificate and certificate chain Generate premaster secret, derive master secret and traffic protection keys Premaster secret encrypted under server RSA public key, ChangeCipherSpec, client “Finished” Decrypt premaster secret, derive master secret and traffic protection keys ChangeCipherSpec, server “Finished” Application data 5/29/2014 -- Updated 5/31 to add link to white paper 6 Handshake with client authentication Client Server Client random Server random, RSA public key certificate and chain, certificate request Generate pms, ms, keys Client certificate and chain for digital signature public key, Premaster secret encrypted under server RSA public key, Signature on prior handshake messages, ChangeCipherSpec, client “Finished” Decrypt pms, derive ms, keys ChangeCipherSpec, server “Finished” Application data 5/29/2014 -- Updated 5/31 to add link to white paper 7 Handshake using ephemeral Diffie-Hellman (DH) key agreement • Server certificate contains a public key pertaining to a digital signature cryptosystem (RSA, DSA or ECDSA) • Server uses the digital signature private key to sign an ephemeral DH key pair – Ephemeral: used for one handshake, then deleted • DH key agreement produces premaster secret • Forward secrecy: adversary who captures the digital signature private key in the future cannot obtain the premaster secret, nor the master secret, nor the traffic protection keys because the ephemeral private key is discarded. 5/29/2014 -- Updated 5/31 to add link to white paper 8 DH key pair • DH parameters: – Prime modulus: p – Group generator: g – Private value: y – Public value: gy • DH private key: y • DH public key: (p, g, gy) 5/29/2014 -- Updated 5/31 to add link to white paper 9 Handshake using ephemeral DH => forward secrecy Client random Generate p, g, y, gy, Sign p, g, gy and randoms Server random, p, g, gy, signature, server certificate and chain Generate x, gx Premaster secret = gxy Derive ms, keys gx, ChangeCipherSpec, client “Finished” Premaster secret = gxy Derive ms, keys ChangeCipherSpec, server “Finished” Application data 5/29/2014 -- Updated 5/31 to add link to white paper 10 Usability shortcoming: handshake latency • Handshake requires up to two roundtrips (in addition to a TCP roundtrip and at least one data roundtrip) – At the speed of light, a signal takes 270ms to reach a geostationary satellite – Two round trips take 1080ms – Downloading a page may require many connections, hence many handshakes • Big problem for accessing the web via satellite from airplanes, ships, rural areas, Antarctica… 5/29/2014 -- Updated 5/31 to add link to white paper 11 Usability shortcoming: handshake bandwidth consumption • The server certificate chain typically comprises two or three certificates • Certificate size is typically more than 2KB • More bandwidth may be spent on certificates than on content • Problems: – Congestion on bandwidth-constrained networks – Increased data transmission costs and battery drain for mobile devices 5/29/2014 -- Updated 5/31 to add link to white paper 12 Deployed mitigation • Abbreviated handshake for session resumption (new connection with same master secret) – One roundtrip only – No certificate transmission – Session resumption is widely implemented, but only about 50% of handshakes are abbreviated, as estimated by Google 5/29/2014 -- Updated 5/31 to add link to white paper 13 Non-deployed mitigations • Fast-track – Client caches server certificate chain One roundtrip, no certificate transmission – Academic implementation, not deployed • False Start – Client sends application data before server “Finished” message One roundtrip – Deployed by Google in Chrome, then discontinued • Snap Start – Both of the above Zero roundtrips, no certificate transmission – Google idea, not implemented 5/29/2014 -- Updated 5/31 to add link to white paper 14 Privacy shortcomings related to client authentication • Client certificate, when used, is sent in the clear • Limited range of authentication methods – Supported: Public key certificates, attribute certificates • Server cannot ask for specific certificates or attributes – Not supported: Uncertified key pairs, U-Prove tokens, Idemix anonymous credentials, credentials based on group signatures; credentials based on identity-based cryptography, etc. • Client authentication is part of the handshake => very hard to add new authentication methods • Without TLS support, privacy enhancing authentication methods stand no chance of adoption – U-Prove and Idemix are not supported products – Attempt at productizing U-Prove failed 5/29/2014 -- Updated 5/31 to add link to white paper 15 Privacy features we are missing out on due to lack of support in TLS • Uncertified key pairs: – Cryptographic authentication without third-party involvement for returning user authentication – Same privacy as passwords, much stronger security • Idemix: – Selective disclosure of attributes, issue-show unlinkability, multishow unlinkability • U-Prove: – Selective disclosure, issue-show unlinkability • Selective disclosure certificates – Selective disclosure with a mere public key certificate 5/29/2014 -- Updated 5/31 to add link to white paper 16 Security shortcomings • Long history of vulnerabilities • Some have not been addressed yet • Some have been addressed in TLS 1.1 or 1.2, but most client and servers do not support either • Some are historic but interesting as illustration of network security concepts 5/29/2014 -- Updated 5/31 to add link to white paper 17 RSA timing vulnerabilities (historic) • Paul Kocher 1996 attack – Attacker asks server to decrypt many premaster secrets, uses a statistical technique to guess the RSA private key of the server by timing the decryptions – Technique not applicable if CRT optimization is used • Boneh and Brumley 2003 attack – Different timing attack against CRT optimization • Both attacks can be prevented by generating random r, multiplying the encrypted premaster secret xe by the inverse of re before decrypting, and multiplying the result by r (r—exe)d = r—edxed = r—1x (mod n) (r—1x) r = x (mod n) • This is the same technique used for RSA signature blinding 5/29/2014 -- Updated 5/31 to add link to white paper 18 RSA padding vulnerability (historic) • PKCS #1 version 1.5 specifies how the premaster secret x is to be padded before being encrypted as y = xe mod n • MITM replaces y with yse mod n for many s, producing the decryption (yse)d mod n = xedsed mod n = xs mod n • By observing which values of s produce a bad-padding error message from the server, attacker can compute the premaster secret x • Countermeasure: server does not report bad padding, uses random value as premaster secret instead 5/29/2014 -- Updated 5/31 to add link to white paper 19 The BEAST attack • Before TLS 1.1 (April 2006), traffic encryption with a block cipher (e.g. AES) in CBC mode used chained rather than random initialization vectors, allowing a block-adaptive chosen plaintext attack • Attacker can test guesses of plaintext blocks • No practical exploits were known until the BEAST attack (September 2011) recovered authentication cookies • At that time only 0.25% of servers and few browsers had upgraded to TLS 1.1 or TLS 1.2 • Today many servers have upgraded, but most still haven’t • Until recently, using the RC4 stream cipher instead of the AES block cipher was recommended as a countermeasure to BEAST; but RC4 vulnerabilities have now been found 5/29/2014 -- Updated 5/31 to add link to white paper 20 The Lucky Thirteen attack • Correct order for traffic protection: encrypt then authenticate • TLS using block cipher in CBC mode: – Authenticate then pad then encrypt – Pad is not authenticated • Chosen ciphertext attack can shift the plaintext so that it is interpreted as padding by the recipient • Before TLS 1.1, recipient omitted MAC computation if padding was not well formed Leak of plaintext info => plaintext recovery • After TLS 1.1 recipient should compute dummy MAC instead, but timing of MAC computation still leaks plaintext info Lucky Thirteen attack • Proposed mitigation – Add steps to MAC computation to hide timing differences – But proponents doubt that it will be effective 5/29/2014 -- Updated 5/31 to add link to white paper 21 Compression-related attacks (CRIME, TIME) • TLS has an optional traffic compression stage before traffic protection • Amount of plaintext compression depends on amount of redundancy in plaintext – And plaintext length cannot be effectively hidden by padding • Chosen plaintext attack: attacker injects string, compressed plaintext is shorter if injected string can be found elsewhere in plaintext Can test for the presence of strings in plaintext 5/29/2014 -- Updated 5/31 to add link to white paper 22 Renegotiation vulnerability • A TLS handshake can be performed over an existing connection to change the connection parameters – This is usually done to add client authentication • MITM of handshake can cause the server to believe that the handshake is a renegotiation of a prior TLS connection from the attacker and that the client data after the handshake is continuation of MITM data before handshake • The attacker can send an HTTP GET request to the server, and have it authenticated by the client • Countermeasure: secure renegotiation extension – Renegotiating client has to send the data in the “Finished” message of the previous handshake 5/29/2014 -- Updated 5/31 to add link to white paper 23 “Unknown key share (UKS)” vulnerability • Since the master secret is derived from random quantities generated by client and server during the handshake, it is commonly assumed that it is unique to a connection • But MITM can establish separate connections with client and server that have the same master secret 5/29/2014 -- Updated 5/31 to add link to white paper 24 Triple handshake attack 1. MITM creates sessions with client and server having same master secret – “Finished” data are different because server certs are different 2. MITM resumes both sessions – “Finished” data are now the same because no server certs are sent 3. MITM renegotiates both sessions – Renegotiation extension countermeasure is defeated because prior “Finished” data are the same 5/29/2014 -- Updated 5/31 to add link to white paper 25 CA compromise vulnerability • From time to time a CA is compromised (Comodo 3/2011, DigiNotar 9/2011) • A compromised CA can issue a certificate to any server • A server with a certificate from an expensive very secure CA can be impersonated as a result of a compromise of an unrelated cheap and less secure CA • This is because the TLS client gets the server certificate from the server itself 5/29/2014 -- Updated 5/31 to add link to white paper 26 Recap: current security posture • BEAST – Solved in TLS 1.1, but most servers still vulnerable • Lucky Thirteen – Not clear if implementations attempt or achieve mitigation • Compression-related attacks – Compression still in TLS, applications vulnerable if they use it • UKS – Not addressed • Triple handshake – Not addressed • CA compromise – Not solved 5/29/2014 -- Updated 5/31 to add link to white paper 27 It’s time to replace TLS • Why replace rather than fix? – TLS has too many shortcomings – It is already too complex, due to prior fixes • 5 versions in current use • 23 extensions • 28 RFCs – There is upgrade fatigue • Most servers have not yet upgraded to TLS 1.1 (April 2006) • Now is the time – Awareness of security and privacy breakdown on the Internet • Trying to replace TLS is not hopeless – New URL scheme can by used to indicate HTTP over new security protocol – Mobile apps can use any protocol they want to interact to their back-ends – Not the only replacement proposal (QUIC) 5/29/2014 -- Updated 5/31 to add link to white paper 28 Possible ingredients for a replacement • • • • • • • • • Identity-based cryptography DNS support Forward secrecy from second flow Optional: pre-shared key for server authentication in the enterprise Combination with TCP Fast Open Client authentication independent of handshake No compression No padding Encryption before authentication and/or authenticated encryption 5/29/2014 -- Updated 5/31 to add link to white paper 29 Identity-based cryptography • Trusted party called “private key generator (PKG)” analogous to certificate authority (CA) • Public key of entity is computed from ID of entity and public key of PKG • Private key of entity is computed from ID of entity and private key of PKG – Can only be computed by PKG – PKG gives it to entity 5/29/2014 -- Updated 5/31 to add link to white paper 30 Expiration and revocation • Key pair can be made to expire by adding an expiration date or time to the identity, e.g. – Server ID: “pomcor.com” – ID with expiration date: “pomcor.com-20140529” • Key pair can be revoked by adding a revocation counter – ID with revocation counter: “pomcor.com-4” – Latest ID must be retrieved from trusted repository • Short term expiration + emergency revocation counter – Pomcor.com-20140529-4 5/29/2014 -- Updated 5/31 to add link to white paper 31 Using ID-based cryptography for the new protocol • There are ID-based cryptosystems for encryption, digital signature and key agreement • ID-based encryption can be used for key transport instead of RSA encryption • There must be a hierarchy of PKGs just as there is a hierarchy of CAs • The PKG hierarchy must have multiple roots just as the CA hierarchy has multiple roots 5/29/2014 -- Updated 5/31 to add link to white paper 32 Traditional hierarchical identity-based encryption, with single root • Chain of PKGs – Private key issuance: PKG0 PKG1 … PKGn server • Identity chain of server: (Name, IDn, … , ID1) • One set of cryptographic domain parameters • Public key of server = identity chain + domain parameters 5/29/2014 -- Updated 5/31 to add link to white paper 33 Proposed hierarchical identity-based encryption, with multiple roots • Chain of PKGs PKG0 PKG1 … PKGn server • Identity chain of server: (Name, IDn, … , ID1, ID0) • Each root has its own domain parameters • Domain parameters of trusted root PKGs are stored by client • Tail of server identity chain (IDn, … , ID1, ID0) replaces certificate chain, but is much shorter 5/29/2014 -- Updated 5/31 to add link to white paper 34 DNS support • Tail of server identity chain retrieved from DNS rather than server – By contrast, certificate chain would be too large to be reliably retrieved from the DNS Zero roundtrips if replay of first data is not a problem DNSSEC solves the “CA compromise shortcoming” – DNS without DNSSEC mitigates it • Compare to DANE 5/29/2014 -- Updated 5/31 to add link to white paper 35 Forward secrecy from second flow • ID-based key transport => initial traffic protection keys • Ephemeral DH => subsequent traffic protection keys • Client sends its EDH public key protected by initial keys in first flow • Server sends its EDH public key protected by initial keys followed by data protected by subsequent keys in second flow • QUIC independently came up with similar trick 5/29/2014 -- Updated 5/31 to add link to white paper 36 Generate client random (cr) Generate pms1 Derive ms1 and keys1 from pms1 and cr (no antireplay) Generate p, g, x, gx cr, pms1 under server pub key, change (to keys1), (p, g, gx), data1 Decrypt pms1 Derive ms1 and keys1 from cr and pms1 Decrypt (p, g, gx) and data1 Generate y, gy pms2 = gxy Generate server random (sr) Derive ms2 and keys2 from pms2, cr and sr Implicit change (to keys1), sr, gy, change (to keys2), data2 pms2 = gxy, Derive ms2 and keys2 from pms2, cr and sr Decrypt data2 change (to keys2), data3 5/29/2014 -- Updated 5/31 to add link to white paper 37 Pre-shared key for server authentication • Alternative way of avoiding certificate chains • Well suited for corporate intranet • Available in TLS 5/29/2014 -- Updated 5/31 to add link to white paper 38 Combination with TCP Fast Open • TCP Fast Open eliminates the TCP roundtrip in some cases – Implemented in kernel – Available in Linux, Chrome OS and Android – Support by Chrome browser but disabled by default – Relies on client caching a “TCP cookie” 5/29/2014 -- Updated 5/31 to add link to white paper 39 Client authentication independent of handshake • Server asks for one or more identifiers or attributes at any time after the secure connection has been established • Server tells client what kind of credentials it supports • Clients presents credentials of types acceptable to server, with identifiers or attributes requested by server • Credential presentation protocols are specified independently from the handshake 5/29/2014 -- Updated 5/31 to add link to white paper 40 No compression • Compression before encryption may leak information, compression after encryption does not work => TLS should not include compression • Application layer compression (e.g. HTTP compression) can also leak information: BREACH attack • But application layer could address the problem (e.g. by using multiple compression contexts) where as TLS cannot 5/29/2014 -- Updated 5/31 to add link to white paper 41 No padding • Use CFB, OFB or authenticated encryption modes that require no padding instead of CBC mode 5/29/2014 -- Updated 5/31 to add link to white paper 42 Authentication after encryption • Authentication after encryption has been proven secure – MAC on ciphertext provides effective defense against chosen ciphertext attacks • An alternative is authenticated encryption modes of operation, which simultaneously encrypt and authenticate – A.k.a. authenticated encryption with added data (AEAD) – GCM, CCM, etc. 5/29/2014 -- Updated 5/31 to add link to white paper 43 The formal verification challenge • Avoiding a string of vulnerabilities will require formal verification • But formal verification will be very challenging, for three reasons… 5/29/2014 -- Updated 5/31 to add link to white paper 44 1. The problem is intrinsically difficult • Stating the security goal is difficult – Security is not absolute: goal is to prove that the adversary is unlikely to win, in some sense • Modeling a network security protocol is difficult – It’s easy to miss key details – Example: the use of CBC mode in TLS was proved correct, overlooking the IV chaining mistake • Modeling the adversary may be even more difficult 5/29/2014 -- Updated 5/31 to add link to white paper 45 2. The state of the art needs improvement • Verification consists of proofs on paper, which are extremely complex and not always rigorous • Bellare and Rogaway: “In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor.” 5/29/2014 -- Updated 5/31 to add link to white paper 46 3. Some of the proposed ingredients may require new verification techniques • Explicit reliance on the DNS for security • Combination of two different key establishment techniques in the same protocol 5/29/2014 -- Updated 5/31 to add link to white paper 47 Thank you for your attention! Any questions? Whitepaper at http://pomcor.com/whitepapers/TimeToRedesignTLS.pdf Karen P. Lewison kplewison@pomcor.com Francisco Corella fcorella@pomcor.com 5/29/2014 -- Updated 5/31 to add link to white paper 48