TLS Flashcards
(37 cards)
Which security properties can TLS provide?
It provides:
- server authN wth implicit asymmetric challenge response
- client authN (optional) with explcit asymm CR
- data integrity and data authN
- protection from replay and filtering attacks thanks to TCP and implicit sequence number
TLS architecture
TLS lays over TCP and uses the TLS Record Protocol to encapsulate application data.
The Record Protocol is used by:
- TLS handshake protocol: to negotiate crypto parameter
- TLS alert protocol: to send alertss about an error during the connection (ex. wrong MAC value)
- TLS change cipher spec: to start protecting the exchanged messages with the negotiated crypto parameters
Are the finished messages and the change cipher spec protocol the same?
No.
The Change Cipher Spec Protocol is used to change keys or algorithms without closing the channel. This is crucial because, after transferring a significant amount of data with the same algorithm and key (e.g., for encryption), the attacker has more opportunities to perform cryptanalysis. The more data that is encrypted with the same cipher-key pair, the higher the probability of determining the key. This protocol allows the system manager to change the keys after a certain amount of time or data exchanged, without closing the channel. It is also used at the beginning to transition the channel from unprotected to protected.
- finished: to authN the handshake -> the finished message is a MAC computed using the master secret and it is computed over all the messages exchanged before -> the finisched of the client and of the server will be different cause the server computes it considering also the client’s finished. It does not consider the change cipher spec.
How does the alert protocol work?
The Alert Protocol is used whenever there is an issue. When an alert record is sent then the connection is closed.
Sessions and connections in TLS
Session
It is a logical association between a client and a server which is created during the TLS Handshake.
Multiple connections can be associated to the same session and use the cryptographic parameters negotiated during the handshake.
Connection
It is a transient channel which is part of a session and it is between a server and a client.
TLS data protection
Application data are encapsulated with the TLS Record Protocol.
It mandatorily computes the MAC for integrity and optionally encrypts the obtained structure for confidentiality with symmetric enc algos and using an authN-then-encrypt schema.
The flows is the following:
- a TLS record is created with an empty MAC field (fixed sixe based on the chosen function) and random padding
- the MAC is computed over the data (that can be compressed or not) and inserted in the field. The directional MAC key is used
- the Enc key is used (with IV if needed) to encrypt the record
MAC = message_digest (key, seq_number || type || version || length || fragment)
TLS keys
They are 4 directional keys, 2 for MAC and 2 for Encryption.
During the handshake the client generates a pre-master secret that, only for the first connection, is combined with the random numbers to generate the master secret. Pre-master and master secrets will be used during the whole session.
The keys derive from the combination of master and random numbers and are re-generated at each connection.
TLS sequence number
Implicit, 2^64 values, then the session is closed.
It helps in avoiding replay and filtering attacks.
PFS in TLS
If a server has a certificate valid for both signature and encryption, then such a certificate can be used both for authentication (via a signature) and key exchange (asymmetric encryption of the session key).
But if an attacker copies all the encrypted traffic and later discovers the long-term private key, then
they can decrypt all the traffic…past, present, and future!
For this reason, the concept of perfect forward secrecy has been introduced. It ensures that:
* The compromise of the secret key used in the KE (Key Exchange) compromises only the current (and potentially future) traffic, but not the past traffic.
* It can be implemented using techniques such as ephemeral key exchange mechanisms (e.g., Diffie- Hellman Ephemeral (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)).
Perfect forward secrecy is optional in TLS 1.2 but compulsory in TLS 1.3.
Ephemeral keys
A technique to reach PFS is to use ephemeral keys, that are key pair generated on-the-fly and signed with the long provate key (in this case of the server).
- if E keys are used this can be considered server authN
- the on the fly key pair won’t actually have a X.509 certificate
- the long term private key will only be used to sign data (keyUsage = digitalSignature) while the E key will be used to perform encryption
TLS1.2 handshake
ClientHello
TLS version + ciphersuite list + compression method lists + 28B ClientRandom + sessionID
Each ciphersuite is in the from:SSL_KeyExchangeAlgorithm_WITH_SymmetricEncryptionAlgorithm_HashAlgorithm(for MAC) ;
ServerHello
chosen TLS version + chosen ciphersuite list + chosen compression method lists + 28B ServerRandom + chosen sessionID
Certificate
Server X.509 certificate with the certificate chain to verify it.
[ServerKeyExchange]
Only if Ephemeral keys are used, here the server sends to the client the ephemeral public key encrypted with its long term secret key.
This is the only message explicitly signed by the server
[CertificateRequest]
The server asks the client for its certificate and shares the list of its trusted CAs.
[Client Certificate]
The client shares its X.509 certificate.
Client Key Exchange
The client encrypts the pre-master secret with the received pub key.
[Certificate Verify]
The client performs a signature over the digest computed over all the messages before this one. The server will compute the digest and verify the signature with the claimed client public key.
C: ChangeCipherSpec
Allows to pass from the previous unprotected messages to the protection of the next messages with the negotiated algorithms and keys
C: Finished
The client computes and hash with the master secret over the exchanged messaged but the changecipherSpec.
It prevents rollback man-in-the-middle attacks (version downgrade or cipher suite downgrade)
S: ChangeCipherSpec
S: Finished
The server computes and hash with the master secret over the exchanged messaged but the changecipherSpec
TLS resumed session
The client sends a session ID ≠ 0 in the ClientHello and the session is resumed if the server responds with the same sessionID in the ServerHello.
If the session is resumed then the new keys are generated with the new randoms and the master secret of the session.
TLS link teardown
If the client wants to close a connection it uses the Alert protocol:
- the client sends the alert close_notify that is protected by the MAC
- it waits for the ACK from the server: alert close_notify that is protected by a MAC too.
- they both check the MAC value and effectively close the connection if the value is the expected one.
The acknowledgment is needed to avoid closing a connectin if a fake request to do so is received.
TLS setup time
TLS1.2
It takes 2RTT, 1 if False Start is used
- (C→S) SYN
– (S→C) SYN-ACK - (C→S) ACK + ClientHello
– (S→C) ServerHello + Certificate - (C→S) ClientKeyExchange + ChangeCipherSpec + Finished
– (S→C) ChangeCipherSpec + Finished
TLS1.3
Basically, it’s a 1-RTT handshake that can be reduced to 0-RTT upon resumption of a previous session (or by using Pre-Shared Key, which is rare).
TLS versions
TLS algorithms evolution
ALPN extension
Application Layer Protocol Negotiation
It is a TLS extension needed to negotiate the apllication level protocol that will run over TLS while performing the TLS handshake. This is useful to avoid setting up a TLS connection that will be closed because no common application level protocol is found.
- During the (ClientHello) ALPN=true + list of supported application protocols:
the client indicates that ALPN is supported and provides a list of supported application protocols. - During the (ServerHello) ALPN=true + selected application protocol: the server responds by indicating that ALPN is supported and selects one of the application protocols from the client’s list.
TLS downgrade problem and solution
During the TLS handshake, with ClientHello and ServerHello, the two parties agree on the TLS version to be used. The client proposes the supported versions and the server should choose the highest one it has in common among the ones present in the list.
The problem is that when the server doesn’t find a supported version, the connection is closed. In this case the client re-tries with a new connection and proposes some lower versions.
This mechanism can be exploited by a MITM attacker that sends to the client fake server responses making it believe that it has to retry to connect with lower protocol versions.
This process is iterated till the client asks for a vulnerable TLS. version that the attacker can exploit to run suitable attacks.
- The process starts when the client tries to reconnect to a specific server with an older protocol version.
- The client SHOULD send TLS_FALLBACK_SCSV when re-opening a downgraded connection in the clientHello. This cipher suite should be listed last in the cipher suite list.
- If the server supports a newer protocol version than the protocol version already sent by the client in the last clientHello message, a new fatal alert value,
inappropriate_fallback, MUST be sent by the server to the client. When this alert is sent, the channel is closed, and the client should retry with its highest protocol version.
TLS virtual servers problem and solution
There are scanarios where multiple servers with different logical names have the same IP address. When HTTPS is used it is difficult to understand which certificate to request.
Solutions:
* wildcard certificates: one cert for multiple servers with the same domain. Problems: key shared among the servers
* Use the Subject Alternate Name extension of the X.509 certificate: this means that the key has to be shared and that every time a server is added or delate the certifcate has to be reissued
* SNI (Server Name Indication) extension: allows the client to specify the server name in the ClientHello message. However, support for SNI is limited among browsers and servers.
TLS attacks (list)
- Heartbleed
- Bleichenbacher
- CRIME
- BREACH
- BEAST
- POODLE
- FREAK
TLS False Start
TLS False Start, defined in RFC-7918, is a technique that allows the client to send application data together with the ChangeCipherSpec and Finished messages in a single TCP segment, without waiting for the corresponding server messages. This approach reduces latency to 1-RTT, making the connection establishment faster.
TLS session tickets
They are data structures sent from the server to the client, ecnrypted with the SECRET key of the server and containing the crypto parameters of a TLS session.
This allows to move the cache on the client without the sever having to cache all the parameters of all the. negotiated sessions.
TLS1.3 features and modifications
- handshake speed up, shorter latency -> reduced RTT
- encrypt more of the handshake -> key share is immediately done and other messages can be encrypted
- imporving resiliency to cross protocols
- KDF is redesigned
- only AEAD modes, so no more MAC keys
- 5 orthogonal cryptosuites that only specify encryption algorithm and mac algorithm
- signature is only performed using the RSA-PSS schema
- ephemeral keys are compulsory
TLS1.3 handshake
ClientHello:
* Client random
* Highest supported protocol version
* Supported ciphersuites and compression methods (TLS1.2)
* Session ID
* extensions
The extensions in the Client Hello can be:
* key_share which is the portion of the client of (EC)DHE
* signature_algorithms which contains the list of supported algorithms
* psk_key_exchange_modes that contains the list of supported modes for key exchange
* pre_shared_key that is the list of pre-shared keys offered, if any (could be missing if there’s no pre- shared key)
ServerHello:
* the selected ciphersuite
* selected compression method
* session ID
* Server Random
* extensions
Among the server extensions:
* key_share is the portion of the key generated by the server using (EC)DHE
* pre_shared_key = selected PSK, if any
After this exchange, the certification and both client-server finished messages are encrypted: after the server sends the “key share” message, the client and server are able to create the pre-master secret and derive all necessary keys from it.
The next handshake messages that can be sent are of type:
* EncryptedExtensions
* CertificateRequest
* Certificate
* CertificateVerify
* Finished
* NewSessionTicket
* KeyUpdate
* EndOfEarlyData: If the server sent an “early_data” extension in EncryptedExtensions,
the client MUST send an EndOfEarlyData message after receiving the server Finished. If the server does not send an “early_data” extension in EncryptedExtensions, then the client MUST NOT send an EndOfEarlyData message. This message indicates that all 0-RTT application_data messages, if any, have been transmitted and that the
For backward compatibility, TLS 1.2 messages are also sent and most of TLS 1.3 features are in message extensions. This way, if the client is capable of using TLS 1.3, it will understand the extensions and fully use TLS 1.3; otherwise, it will use TLS 1.2.
