SlideShare una empresa de Scribd logo

Tlsoptimizationprint 120224194603-phpapp02

F
fangjiafu
TecnologíaEducación
1 de 45
Descargar para leer sin conexión
Optimizing TLS/SSL Nate Lawson Cal Poly Grad Networks February 21, 2012 Friday, February 24, 2012
Root Labs • Design and analyze security systems • Emphasis on embedded, kernel, reverse engineering, and cryptography Friday, February 24, 2012
Focus • Smart phones, set-top boxes, game consoles, 2-factor tokens • Trusted boot, device drivers • Software tamper resistance Friday, February 24, 2012
Before • Cryptography Research • Paul Kocher’s company (author of SSL 3.0) • Co-designed Blu-ray disc security layer, aka BD+ • Infogard Labs in SLO Friday, February 24, 2012
SourceDNA • Software similarity search engine • Scale index to large number of binaries • Perform sophisticated alignment Friday, February 24, 2012
Overview • SSL walkthrough • False Start • BEAST attack • Snap Start Friday, February 24, 2012
History • SSL (Secure Sockets Layer) v2.0 (1994) • Serious security problems including incomplete MAC coverage of padding • SSL v3.0 (1996) • Major revision to address security problems • TLS (Transport Layer Security) 1.0 (1999) • Added new crypto algorithm support • IETF takes over • TLS 1.1 (2006) • Address Vaudenay’s CBC attacks on record layer • TLS 1.2 (2008) • SHA/MD5 for Finished message now SHA-256 Friday, February 24, 2012
Layered model • SSL provides security at the transport layer (OSI model L4) • Stream of bytes in, private/untampered stream of bytes out • Application logic is unmodified • Can be adapted to datagram service also (DTLS) • Compare to IPSEC • Mostly used as an L3 protocol (datagram tunneling) Friday, February 24, 2012
Security goals • Privacy • Data within SSL session should not be recoverable by anyone except the endpoints • Integrity • Data in transit should not be modified without detection • Authentication • No endpoint should be able to masquerade as another Friday, February 24, 2012
Attacker capabilities • Normal participant • Can talk to server that is also talking to other parties • Passive eavesdropping • Observe any or all messages sent by other parties • Active (Man in the Middle) • Insert or replay old messages • Modify • Delete or reorder Friday, February 24, 2012
Symmetric crypto • Block ciphers turn plaintext block into ciphertext using a secret key • Recipient inverts (decrypts) block using same key • Examples: AES, 3DES Friday, February 24, 2012
Block chaining • Often requires “chaining” to encrypt messages longer than a single block • This does not provide integrity protection Friday, February 24, 2012
Public key crypto • Data transformed with one key can only be inverted with the other key (asymmetric) • Examples: RSA, (EC)Diffie-Hellman, (EC)DSA • Can encrypt data to a recipient without also being able to decrypt it afterward • Can sign data by encrypting it with one key and publishing the other Friday, February 24, 2012
Friday, February 24, 2012
Certificates • Associate a name with a public key • Trusted party uses private key to sign the message “joe.com = 0x09f9…” • Public key of trusted party came with your web browser • Key management still a problem • Expire certs and explicitly revoke them if a private key is compromised (CRL) • Or, check with the trusted party each time you want to use one (OCSP) Friday, February 24, 2012
TLS Handshake Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished ApplicationData ApplicationData Friday, February 24, 2012
Hello • Initiates connection and specifies parameters Client / ServerHello Version • Initiator sends list (i.e., RandomData SessionID CipherSuites) and CipherSuites responder selects one CompressionMethods item from list • SessionID is used for resuming (explained later) Friday, February 24, 2012
Certificate • Provides a signed public key value to the other Certificate party ASN.1Cert • Other side must verify (X.509 v3 format) information • CN field is myhost.com = IP address in TCP connection • Cert chain back to root Friday, February 24, 2012
ServerHelloDone • Signifies end of server auth process • Allows multi-pass authentication handshake • Cert-based auth is single-pass Friday, February 24, 2012
ClientKeyExchange • Client sends encrypted premaster secret to server ClientKeyExchange RSA-PubKey-Encrypt( • ClientVersion Assumes RSA public key PreMasterSecret[48] crypto (most common) ) • Server checks ClientVersion matches highest advertised version Friday, February 24, 2012
ChangeCipherSpec • Indicates following datagrams will be encrypted MasterSecret computation • Disambiguates case Hash( PreMasterSecret where next message may ClientRandom be error or encrypted ServerRandom data ) • Each side now calculates data encryption key (K) Friday, February 24, 2012
Finished • Indicates all protocol negotiation is complete and data may be Finished exchanged AES-K-Encrypt( Magic MD5(handshake_messages) • Includes hashes of all SHA1(handshake_messages) handshake messages ) seen by each side • Also, magic integers 0x434C4E54 or 0x53525652 (why?) Friday, February 24, 2012
ApplicationData ApplicationData • Encapsulates encrypted AES-CBC-K-Encrypt( data for duration of Type session Version Length Data • Can span multiple TCP MAC Padding packets PaddingLength ) Friday, February 24, 2012
Session resumption Friday, February 24, 2012
TLS Handshake Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished ApplicationData ApplicationData Friday, February 24, 2012
Session resumption Client Server ClientHello ServerHello [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished ApplicationData (request) ApplicationData (response) Friday, February 24, 2012
False Start Friday, February 24, 2012
False Start Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished ApplicationData (request) [ChangeCipherSpec] Finished ApplicationData (response) Friday, February 24, 2012
Security • Attacker spoofing server can modify: • Version • RandomData • SessionID • CipherSuites & CompressionMethods • Certificate • Client will only detect after Finished message received or timeout Friday, February 24, 2012
BEAST attack Friday, February 24, 2012
CBC encryption P1 P2 P3 IV ⊕ ⊕ ⊕ AESEnc AESEnc AESEnc C1 C2 C3 Friday, February 24, 2012
IV reuse P1 P2 P3 P4 IV ⊕ ⊕ IV’ ⊕ ⊕ AESEnc AESEnc AESEnc AESEnc C1 C2 C3 C4 Friday, February 24, 2012
Process 1. Send message with 1 unknown byte 2. Send another message with guess for that byte aligned with same slot 3. If ciphertext matches, guess was correct Repeat for up to 256 * n bytes of secret Friday, February 24, 2012
HTTP GET /example HTTP/1.1 Host: server.example.com Origin: http://example.com Cookie: 0123456789abcdef Friday, February 24, 2012
HTTP GET /example?PAD=AAA HTTP/1.1 Host: server.example.com Origin: http://example.com Cookie: 0123456789abcdef Friday, February 24, 2012
IV reuse P1 P2 P3 P4 P5 P6 IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ AESEn AESEn AESEn AESEn AESEn AESEn C1 C2 C3 C4 C5 C6 ... ?PAD=AAA_ HTTP/1.1rnCookie: 0 123456789abcdef Friday, February 24, 2012
IV reuse P1 P2 P3 P4 P5 P6 IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ AESEn AESEn AESEn AESEn AESEn AESEn C1 C2 C3 C4 C5 C6 ... ?PAD=AA_H TTP/1.1rnCookie: 01 23456789abcdef Friday, February 24, 2012
IV reuse P1 P2 P3 P4 P5 P6 IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ AESEn AESEn AESEn AESEn AESEn AESEn C1 C2 C3 C4 C5 C6 ... ?PAD=A_HT TP/1.1rnCookie: 012 3456789abcdef Friday, February 24, 2012
Relations G =15 bytes known data || 1 byte guess P3 = C2 ⊕ G C3 = AES(C2 ⊕ C2 ⊕ G) = AES(G) Friday, February 24, 2012
Attacker requirements • Ability to choose or influence some of the message •Internal alignment via adjustment of padding fields •Choice of plaintext guess • Partial knowledge of the original message • See each previous record’s C2 (IV’) Friday, February 24, 2012
Snap Start Client Server ClientHello Snap Start Extension ClientKeyExchange [ChangeCipherSpec] Finished ApplicationData (request) [ChangeCipherSpec] Finished ApplicationData (response) Friday, February 24, 2012
Snap Start changes • Server advertises initial orbit and cipher suite in Hello extension • On next connection, client sends: • Prior orbit, cipher suite • Chosen random_bytes • Checksum of predicted server handshake Friday, February 24, 2012
Limitations • Client uses cached cipher suite • Client chooses random_bytes • Server must track some number of previous values and reject connection if reused • Server must validate timestamp • No SessionID and so no resume or must use session tickets Friday, February 24, 2012
Conclusions • SSL provides a well-tested secure transport layer • Security protocols require careful interdependence of components • Easy to make mistakes designing security and crypto in particular Friday, February 24, 2012
References TLS Overview, http://en.wikipedia.org/wiki/Transport_Layer_Security False Start draft, https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00 Snap Start draft (withdrawn), http://www.imperialviolet.org/binary/draft-agl- tls-snapstart-00.html Security criticism of False & Snap Start, http://www.ietf.org/mail-archive/ web/tls/current/msg06933.html BEAST Attack description, http://www.educatedguesswork.org/2011/09/ security_impact_of_the_rizzodu.html Fixing BEAST, http://www.educatedguesswork.org/2011/11/ rizzoduong_beast_countermeasur.html Friday, February 24, 2012

Recomendados

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Reversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into GatakaReversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into Gatakajiboutin
 
Boutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gatakaBoutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gatakaDefconRussia
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldDave Stokes
 
Cryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsCryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsSashank Dara
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 

Recomendados

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Reversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into GatakaReversing banking trojan: an in-depth look into Gataka
Reversing banking trojan: an in-depth look into Gatakajiboutin
 
Boutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gatakaBoutin reversing banking trojan. an in-depth look into gataka
Boutin reversing banking trojan. an in-depth look into gatakaDefconRussia
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldDave Stokes
 
Cryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsCryptography Challenges for Computational Privacy in Public Clouds
Cryptography Challenges for Computational Privacy in Public CloudsSashank Dara
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project ManagersJoseph Wojowski
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013javagroup2006
 
key aggregate cryptosystem for scalable data sharing in cloud
key aggregate cryptosystem for scalable data sharing in cloudkey aggregate cryptosystem for scalable data sharing in cloud
key aggregate cryptosystem for scalable data sharing in cloudSravan Narra
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Encryption in the Age of Breaches
Encryption in the Age of BreachesEncryption in the Age of Breaches
Encryption in the Age of BreachesKarthik Bhat
 
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...C/D/H Technology Consultants
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docsDavid Strom
 
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open)
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open) Advanced Blockchain Technologies on Privacy & Scalability (All Things Open)
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open) Kaleido
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Internet Society
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Deploy360 Programme (Internet Society)
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 

Más contenido relacionado

Similar a Tlsoptimizationprint 120224194603-phpapp02

Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project ManagersJoseph Wojowski
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013javagroup2006
 
key aggregate cryptosystem for scalable data sharing in cloud
key aggregate cryptosystem for scalable data sharing in cloudkey aggregate cryptosystem for scalable data sharing in cloud
key aggregate cryptosystem for scalable data sharing in cloudSravan Narra
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
Encryption in the Age of Breaches
Encryption in the Age of BreachesEncryption in the Age of Breaches
Encryption in the Age of BreachesKarthik Bhat
 
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...C/D/H Technology Consultants
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docsDavid Strom
 
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open)
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open) Advanced Blockchain Technologies on Privacy & Scalability (All Things Open)
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open) Kaleido
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFSDataWorks Summit
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Internet Society
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Deploy360 Programme (Internet Society)
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Markus Schlichting
 

Similar a Tlsoptimizationprint 120224194603-phpapp02 (20)

SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
 
key aggregate cryptosystem for scalable data sharing in cloud
key aggregate cryptosystem for scalable data sharing in cloudkey aggregate cryptosystem for scalable data sharing in cloud
key aggregate cryptosystem for scalable data sharing in cloud
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
Encryption in the Age of Breaches
Encryption in the Age of BreachesEncryption in the Age of Breaches
Encryption in the Age of Breaches
 
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
Today's Unified Communications: To upgrade, coexist, or go 'all in' with the ...
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docs
 
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open)
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open) Advanced Blockchain Technologies on Privacy & Scalability (All Things Open)
Advanced Blockchain Technologies on Privacy & Scalability (All Things Open)
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFS
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 

Más de fangjiafu

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 

Más de fangjiafu (20)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 
Unit05
Unit05Unit05
Unit05
 

Último

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Último (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Tlsoptimizationprint 120224194603-phpapp02

  • 1. Optimizing TLS/SSL Nate Lawson Cal Poly Grad Networks February 21, 2012 Friday, February 24, 2012
  • 2. Root Labs • Design and analyze security systems • Emphasis on embedded, kernel, reverse engineering, and cryptography Friday, February 24, 2012
  • 3. Focus • Smart phones, set-top boxes, game consoles, 2-factor tokens • Trusted boot, device drivers • Software tamper resistance Friday, February 24, 2012
  • 4. Before • Cryptography Research • Paul Kocher’s company (author of SSL 3.0) • Co-designed Blu-ray disc security layer, aka BD+ • Infogard Labs in SLO Friday, February 24, 2012
  • 5. SourceDNA • Software similarity search engine • Scale index to large number of binaries • Perform sophisticated alignment Friday, February 24, 2012
  • 6. Overview • SSL walkthrough • False Start • BEAST attack • Snap Start Friday, February 24, 2012
  • 7. History • SSL (Secure Sockets Layer) v2.0 (1994) • Serious security problems including incomplete MAC coverage of padding • SSL v3.0 (1996) • Major revision to address security problems • TLS (Transport Layer Security) 1.0 (1999) • Added new crypto algorithm support • IETF takes over • TLS 1.1 (2006) • Address Vaudenay’s CBC attacks on record layer • TLS 1.2 (2008) • SHA/MD5 for Finished message now SHA-256 Friday, February 24, 2012
  • 8. Layered model • SSL provides security at the transport layer (OSI model L4) • Stream of bytes in, private/untampered stream of bytes out • Application logic is unmodified • Can be adapted to datagram service also (DTLS) • Compare to IPSEC • Mostly used as an L3 protocol (datagram tunneling) Friday, February 24, 2012
  • 9. Security goals • Privacy • Data within SSL session should not be recoverable by anyone except the endpoints • Integrity • Data in transit should not be modified without detection • Authentication • No endpoint should be able to masquerade as another Friday, February 24, 2012
  • 10. Attacker capabilities • Normal participant • Can talk to server that is also talking to other parties • Passive eavesdropping • Observe any or all messages sent by other parties • Active (Man in the Middle) • Insert or replay old messages • Modify • Delete or reorder Friday, February 24, 2012
  • 11. Symmetric crypto • Block ciphers turn plaintext block into ciphertext using a secret key • Recipient inverts (decrypts) block using same key • Examples: AES, 3DES Friday, February 24, 2012
  • 12. Block chaining • Often requires “chaining” to encrypt messages longer than a single block • This does not provide integrity protection Friday, February 24, 2012
  • 13. Public key crypto • Data transformed with one key can only be inverted with the other key (asymmetric) • Examples: RSA, (EC)Diffie-Hellman, (EC)DSA • Can encrypt data to a recipient without also being able to decrypt it afterward • Can sign data by encrypting it with one key and publishing the other Friday, February 24, 2012
  • 15. Certificates • Associate a name with a public key • Trusted party uses private key to sign the message “joe.com = 0x09f9…” • Public key of trusted party came with your web browser • Key management still a problem • Expire certs and explicitly revoke them if a private key is compromised (CRL) • Or, check with the trusted party each time you want to use one (OCSP) Friday, February 24, 2012
  • 16. TLS Handshake Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished ApplicationData ApplicationData Friday, February 24, 2012
  • 17. Hello • Initiates connection and specifies parameters Client / ServerHello Version • Initiator sends list (i.e., RandomData SessionID CipherSuites) and CipherSuites responder selects one CompressionMethods item from list • SessionID is used for resuming (explained later) Friday, February 24, 2012
  • 18. Certificate • Provides a signed public key value to the other Certificate party ASN.1Cert • Other side must verify (X.509 v3 format) information • CN field is myhost.com = IP address in TCP connection • Cert chain back to root Friday, February 24, 2012
  • 19. ServerHelloDone • Signifies end of server auth process • Allows multi-pass authentication handshake • Cert-based auth is single-pass Friday, February 24, 2012
  • 20. ClientKeyExchange • Client sends encrypted premaster secret to server ClientKeyExchange RSA-PubKey-Encrypt( • ClientVersion Assumes RSA public key PreMasterSecret[48] crypto (most common) ) • Server checks ClientVersion matches highest advertised version Friday, February 24, 2012
  • 21. ChangeCipherSpec • Indicates following datagrams will be encrypted MasterSecret computation • Disambiguates case Hash( PreMasterSecret where next message may ClientRandom be error or encrypted ServerRandom data ) • Each side now calculates data encryption key (K) Friday, February 24, 2012
  • 22. Finished • Indicates all protocol negotiation is complete and data may be Finished exchanged AES-K-Encrypt( Magic MD5(handshake_messages) • Includes hashes of all SHA1(handshake_messages) handshake messages ) seen by each side • Also, magic integers 0x434C4E54 or 0x53525652 (why?) Friday, February 24, 2012
  • 23. ApplicationData ApplicationData • Encapsulates encrypted AES-CBC-K-Encrypt( data for duration of Type session Version Length Data • Can span multiple TCP MAC Padding packets PaddingLength ) Friday, February 24, 2012
  • 25. TLS Handshake Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished ApplicationData ApplicationData Friday, February 24, 2012
  • 26. Session resumption Client Server ClientHello ServerHello [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished ApplicationData (request) ApplicationData (response) Friday, February 24, 2012
  • 28. False Start Client Server ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished ApplicationData (request) [ChangeCipherSpec] Finished ApplicationData (response) Friday, February 24, 2012
  • 29. Security • Attacker spoofing server can modify: • Version • RandomData • SessionID • CipherSuites & CompressionMethods • Certificate • Client will only detect after Finished message received or timeout Friday, February 24, 2012
  • 31. CBC encryption P1 P2 P3 IV ⊕ ⊕ ⊕ AESEnc AESEnc AESEnc C1 C2 C3 Friday, February 24, 2012
  • 32. IV reuse P1 P2 P3 P4 IV ⊕ ⊕ IV’ ⊕ ⊕ AESEnc AESEnc AESEnc AESEnc C1 C2 C3 C4 Friday, February 24, 2012
  • 33. Process 1. Send message with 1 unknown byte 2. Send another message with guess for that byte aligned with same slot 3. If ciphertext matches, guess was correct Repeat for up to 256 * n bytes of secret Friday, February 24, 2012
  • 34. HTTP GET /example HTTP/1.1 Host: server.example.com Origin: http://example.com Cookie: 0123456789abcdef Friday, February 24, 2012
  • 35. HTTP GET /example?PAD=AAA HTTP/1.1 Host: server.example.com Origin: http://example.com Cookie: 0123456789abcdef Friday, February 24, 2012
  • 36. IV reuse P1 P2 P3 P4 P5 P6 IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ AESEn AESEn AESEn AESEn AESEn AESEn C1 C2 C3 C4 C5 C6 ... ?PAD=AAA_ HTTP/1.1rnCookie: 0 123456789abcdef Friday, February 24, 2012
  • 37. IV reuse P1 P2 P3 P4 P5 P6 IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ AESEn AESEn AESEn AESEn AESEn AESEn C1 C2 C3 C4 C5 C6 ... ?PAD=AA_H TTP/1.1rnCookie: 01 23456789abcdef Friday, February 24, 2012
  • 38. IV reuse P1 P2 P3 P4 P5 P6 IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ AESEn AESEn AESEn AESEn AESEn AESEn C1 C2 C3 C4 C5 C6 ... ?PAD=A_HT TP/1.1rnCookie: 012 3456789abcdef Friday, February 24, 2012
  • 39. Relations G =15 bytes known data || 1 byte guess P3 = C2 ⊕ G C3 = AES(C2 ⊕ C2 ⊕ G) = AES(G) Friday, February 24, 2012
  • 40. Attacker requirements • Ability to choose or influence some of the message •Internal alignment via adjustment of padding fields •Choice of plaintext guess • Partial knowledge of the original message • See each previous record’s C2 (IV’) Friday, February 24, 2012
  • 41. Snap Start Client Server ClientHello Snap Start Extension ClientKeyExchange [ChangeCipherSpec] Finished ApplicationData (request) [ChangeCipherSpec] Finished ApplicationData (response) Friday, February 24, 2012
  • 42. Snap Start changes • Server advertises initial orbit and cipher suite in Hello extension • On next connection, client sends: • Prior orbit, cipher suite • Chosen random_bytes • Checksum of predicted server handshake Friday, February 24, 2012
  • 43. Limitations • Client uses cached cipher suite • Client chooses random_bytes • Server must track some number of previous values and reject connection if reused • Server must validate timestamp • No SessionID and so no resume or must use session tickets Friday, February 24, 2012
  • 44. Conclusions • SSL provides a well-tested secure transport layer • Security protocols require careful interdependence of components • Easy to make mistakes designing security and crypto in particular Friday, February 24, 2012
  • 45. References TLS Overview, http://en.wikipedia.org/wiki/Transport_Layer_Security False Start draft, https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00 Snap Start draft (withdrawn), http://www.imperialviolet.org/binary/draft-agl- tls-snapstart-00.html Security criticism of False & Snap Start, http://www.ietf.org/mail-archive/ web/tls/current/msg06933.html BEAST Attack description, http://www.educatedguesswork.org/2011/09/ security_impact_of_the_rizzodu.html Fixing BEAST, http://www.educatedguesswork.org/2011/11/ rizzoduong_beast_countermeasur.html Friday, February 24, 2012