Lecture 18: Transport Layer Security Protocol Part 2

Question 1

Give an overview of the TLS handshake protocol

Answer 1

1) Specify which version of TLS they will use (mostly TLS 1.2or 1.3)
2) Decide on which cipher suites they will use
3) Authenticate the identity of the server via the server’s public key and the certificate authority’s digital signature
4) Generate session keys in order to use symmetric encryption after the handshake is complete

Question 2

Give the steps for the TLS handshake protocol with RSA key exchange

Answer 2

See slide 6 in set 18

Question 3

Give the steps for the TLS handshake protocol with Diffie-Hellman key exchange

Answer 3

See slide 7 in set 18

Question 4

Give an overview of the TLS record protocol

Answer 4

guarantees confidentiality and integrity of application data using the session keys created during the handshake

1) dividing outgoing messages into manageable blocks and re-assemble incoming messages
2) (optional) compress outgoing blocks and decompress incoming blocks
3) apply a MAC to outgoing messages and verify incoming messages using the MAC
4) encrypt outgoing messages and decryption incoming messages

Question 5

When the TLS Record Protocol is complete, where does the outgoing encrypted data go?

Answer 5

its passed down to the TCP layer for transport

Question 6

Comment on backward compatibility i.t.o TLS

Answer 6

Backward compatibility is a problem

• -> SSL 3.0 deprecated in 2015
• -> EOF for TLS 1.0 and 1.1 only in 2020
• -> TLS 1.2 still most widely supported -> supported by 995% websites
• -> TLS is slowly adopted -> 47.8% websites

Question 7

What are the limitations of TLS i.t.o attacks?

Answer 7

Many servers do not support latest TLS versions and are not protected against known attacks

e.g. RC4 vulnerable and offered by TLS 1.2 but not 1.3 but 1.2 still common

Question 8

Explain the BEAST attack on TLS

Answer 8

Exploiting non-standard use of IV in CBC mode encryption

–> IVs are chained from the previous ciphertexts

–> Allowing the attacker to recover the plaintext byte by byte

Question 9

What does the BEAST attack stand for?

Answer 9

Browser Exploit Against SSL/TLS

Question 10

Is the BEAST attack considered as a realistic attack?

Answer 10

Not any more

Question 11

What is the mitigation strategy implemented by most browsers for the BEAST attack?

Answer 11

Splitting the plaintext into first byte and remainder to force a randomized IV including a MAC computation

Question 12

Explain the CRIME and BREACH attacks on TLS

Answer 12

Side channel attacks based on compression

–> Different inputs result in different amounts of compression

–> CRIME exploits compression in TLS

–> BREACH exploits compression in HTTP

Question 13

When was the idea of the CRIME and BREACH attacks raised?

Answer 13

2002

Question 14

What were the stages of the BEAST attack (history)?

Answer 14

2002 –> theoretical weakness
2011 –> practical weakness
Only ransom IV from TLS 1.1
No longer considered as a realistic threat

Question 15

Comment on switching off compression in TLS i.t.o the CRIME and BREACH attacks

Answer 15

Commonly recommended to switch off compression in TLS
–> compression not available in TLS 1.3

Switching off in HTTP results in big performance hit

Question 16

What is the POODLE attack?

Answer 16

The POODLE threat is a man-in-the-middle attack that forces modern clients (browsers) and servers (websites) to downgrade the security protocol to SSLv3 from TLSv1 or higher. This is done by interrupting the handshake between the client and server; resulting in the retry of the handshake with earlier protocol versions

High level –> Forcing downgrade to SSL 3.0, and then running padding oracle attack

Question 17

What does POODLE stand for?

Answer 17

Padding Oracle On Downgraded Legacy Encryption

Question 18

What does the padding oracle in the POODLE attack enable?

Answer 18

an attacker to know if a message in a ciphertext is correctly padded

Question 19

Comment on the POODLE attack becoming a theoretical idea

Answer 19

In 2002

Encryption in CBC mode can provide a padding oracle due to its error propagation properties

Applied to TLS in a variety of attacks

Question 20

What is the main mitigation of the POODLE attack?

Answer 20

having a uniform error response, so that the attacker cannot distinguish padding errors from MAC errors

Question 21

Where did the heartbleed bug arise from?

Answer 21

Implementation error in toolkit OpenSSL

Result from improper input validation based on missing bounds check in heart beat messages

Question 22

What does the heartbleed bug allow for?

Answer 22

memory leakage from the server which is likely to include session keys and long-term keys.

Question 23

When was the heartbleed bug discovered and what was done to resolve it?

Answer 23

2014 error discovered

Required updating of many server keys after the bug was fixed

Question 24

Is it reasonable that big companies use a free software for securing important transactions?

Answer 24

If free, no ones pays to check security –> risky

Question 25

When was the MITM attack first discovered? What was it relying on?

Answer 25

2015

Attack relying on issuing a new certificate and installing a root certificate in the browser

Question 26

Comment on Superfish i.t.o the MITM attack

Answer 26

media company whose software was bundled with some Lenovo computers

–> Users expressed concerns about scans of SSL-encrypted web traffic pre-installed on Lenovo machines

–> US department of Homeland Security warned users to remove the root certificate

–> 2015 Superfish closed

Question 27

List the names of other attacks on TLS

Answer 27

1) STARTTLS command injection attack
2) Sweet32 attack
3) Triple Handshake attack
4) RC4 attacks
5) Lucky Thirteen attack (padding oracle attack)
6) Renegotiation attack

Question 28

Give a brief outline of the history of TLS 1.3

Answer 28

2014 –> first draft version
Jan 2018 –> internet draft versionn
Aug 2018 –> RFC 8446 published

Browser support by default”

–> Draft version since Chrome 65 and final version (for out going connections) since Chrome 70

–> Draft version in Firefox 52 and above (including Quantum)and final version since Firefox 63

–> Since Microsoft Edge version 76, and Safari 12.1 on mac OS 10.14.4

Question 29

Was static RSA and Diffie-Hellman key exchange suppressed in TLS 1.3?

Answer 29

yes

Question 30

Was renegotiation suppressed in TLS 1.3?

Answer 30

yes

Question 31

Was SSL negotiation suppressed in TLS 1.3?

Answer 31

yes

Question 32

Was DSA suppressed in TLS 1.3?

Answer 32

yes

Question 33

Was data compression suppressed in TLS 1.3?

Answer 33

yes

Question 34

Were non-AEAD cipher suites suppressed in TLS 1.3?

Answer 34

yes

Question 35

Were MD5 and SHA-224 hash functions suppressed in TLS 1.3?

Answer 35

yes

Question 36

Was the Change Cipher Spec protocol suppressed in TLS 1.3?

Answer 36

yes

Question 37

What are the 7 properties/items added to TLS 1.3?

Answer 37

See slide 22 in set 18

Question 38

Compare the handshake protocol for TLS 1.2 and 1.3

Answer 38

See slide 23 in set 18

Question 39

What is 0-RTT based on?

Answer 39

pre-shared key (resumption master secret)

Question 40

How is the pre-shared key obtained i.t.o 0-RTT??

Answer 40

when server and client complete a handshake for the first time

Question 41

What is the pre-shared key used for i.t.o 0-RTT? What is the benefit?

Answer 41

Using that key when establishing a connection again at a later time

–> So avoiding to perform the handshake a second time

Question 42

What does 0-RTT stand for?

Answer 42

zero round trip time

Question 43

Is 0-RTT really zero round trip time?

Answer 43

TLS 1.3 handshake is 1-RTT instead of 2-RTT

Question 44

What are the limitations of 0-RTT?

Answer 44

1) Resumption data require no interaction from the server
2) An attacker can capture encrypted 0-RTT data and re-send them to the server

3) If the server is misconfigured, then it may accept replayed requests as valid
- -> Allowing the attacker to perform unsanctioned actions

Question 45

Give the diagram for 0-RTT for TLS 1.3

Answer 45

See slide 25 in set 30

Question 46

Does the full handshake in TLS 1.3 using ephemeral DH key exchange result in 0-RTT or 1-RTT?

Answer 46

1-RTT

Question 47

Explain the process of the the full handshake in TLS 1.3 using ephemeral DH key exchange which results in 1-RTT

Answer 47

See slide 26 in set 18

Question 48

Give the steps for session resumption process which still exists in TLS (mostly 1.2) which is still 1-RTT

Answer 48

See slide 27 in set 18

Question 49

When does 1-RTT apply i.t.o TLS?

Answer 49

A user visits a website not for the first time

• -> already visited recently
• -> resuming previous connection (which was established using TLS)

Question 50

Give the steps for session resumption process which uses 0-RTT

Answer 50

See slide 28 in set 18

Question 51

Explain the example about 0-RTT for TLS 1.3 on slide 29 in set 18

Answer 51

See slide 29 in set 18

Question 52

What are different kinds of attacks on TLS 1.3?

Answer 52

1) implementation errors
2) poor choice of cryptographic primitives
3) flaws in protocol
4) downgrade attacks (backward compatibility)

Question 53

What is meant by complexity being a major problem i.t.o the security of TLS 1.3?

Answer 53

TLS 1.3:

1) removes many cipher suites and protocol options
2) simplifies the handshake protocol
3) adds new features (e.g. 0-RTT mode) which presents new challenges