seven grades of perfect forward secrecy

of 25 /25
Seven Grades of Perfect Forward Secrecy 2014 Oleg Gryb @oleggryb

Author: oleg-gryb

Post on 24-Jun-2015




0 download

Embed Size (px)


Read this is you want to know how perfection looks like in the world of TLS handshakes.


2. What isPFS?Session Key one time symmetrickey used to encrypt all messagesin a session.Long-term Keys live longer than a session,can be used to derive Session Key. Idealisticallystored in an HSM appliance, but it varies.PFS definition:long-term secret keying material does not compromise thesecrecy of the exchanged keys from earlier run -W. Diffie, P. Oorchot, M.Wiener: Authentication and Authenticated Key Exchanges, 1992 3. WhyPFS?Installing TCPDUMPon DD-WRT device:Emtunc's Blog!$0.01 per GB 4. WhyPFS?5% per month free$0.01 per GB - extra 5. Non PFSExample Session key is generated fromPremaster, random numbers 'a'and 'b' Premaster is encrypted with'long-term' server's key If 'long-term key is compromized,session key is compromized too. 6. PFS: Diffie-HellmanSrvKeyExchange will contain additional DHparams: p big prime g its primitive root.acoprime pk : gka(mod p) Ys=gamod pClientKeyExchange will contain ClientDiffieHellmanPublic instead ofRSA Premaster Secret: Yc=gbmod pWhere 'a' and 'b' random numbers picked up by Server and Client independentlyShared Secret=gabmod p=Ysbmod p=Ycamod pW. Diffie, M. Hellman: New Direction in Cryptography, 1976RFC 5246 7. OLD DH -PerfProbem At around 500 TPS responsetime for DH grows from10ms to 10s For traditional RSAevrything runs smoothlyuntil 2500 TPSFrom Vincent Bernat's SSL/TLS Blog 8. DH withCurvesSrvKeyExchange will contain EC parameters It can be pre-defined named curve Or explicitly defined curve with all necessary params: p big prime, which defines Fp ECurve (a, b) (y^2 = x^3 + ax + b) ECPoint base point (G) order - order of G cofactor order*cofactor = |E(Fp)|It also contain public ECDH server key:Ys = aGClientKeyExchange will contain ClientECDiffieHellmanPublic with:Yc = bGWhere 'a' and 'b' random numebers picked up by Server and Client in dependantly and are less than 'order of G'Shared Secret = abG = aYc = bYsAn Efficient Protocol for Authenticated Key Agreement, 1998RFC4492 9. OLD DHEvs. ECDHE On server side DHE threetimes slower than RSA 2048 For optimized ECDHE-64the overhead is 15% onlyFrom Vincent Bernat's SSL/TLS BlogIt's time for 1000 handshakes 10. TLSCheatsheetTLSHandshakeAlgoPublic(*) paramsused for SessionKey GenerationPrivate(*) paramsused for SessionKey GenerationLong-term key(LTK) purposeAttackComplexitySpeedClassic(RFC5264) Random a,b Public cert of LTK Premaster Secretsent encrypted withLTK's cert LTKAuthneticationand encryptionSame asattack onRSA/DSAbased PKIStillFastestDHE(RFC5264) p big prime g its primitive rootRandom, private a,b(a & b are never sent)AuthenticationonlySame asdescretelogarithmproblemSlowECDHE(RFC4492) p big prime G base point r order of G k small cofactor:kr=|E(Fp)| a curve's param b curv'es paramRandom, private a,b(a & b are never sent)AuthenticationonlySame asdescreteloagrithmproblemAlmostthesame asclassicRSA(*) Public means sent unencrypted, private not sent or sent encrypted. 11. PFSImplementationsAs discussed, we three major options: No Diffie-Hellman Older Diffie-Hellman without curves (DHE) New Diffie-Hellman with curves (ECDHE)Server can also: Have preferred ciphers that fall to one of the categories above It can support or not support newer and older DH protocols 12. PFSGradesBased on the discussed criteria we can come up with grades:Supported Preferred GradePFS Only ECDHE 1PFS Only DHE 2PFS and non PFS ECDHE 3PFS and non PFS DHE 4DHE, ECDHE and non PFS Non PFS 5DHE and non PFS Non PFS 6PFS are not supported Non PFS (obviously) 7 13. PFSGradesWhy preffered ciphers are important? Client can send a list of ciphers that it supports Server will always select a preferred, even if client hasa better cipher in the listWhy ECDHE vs DHE is important? Because of perfromance (see slides 7 and 9) If we don't care about perfromance, we could consider the followinggrades equivalent: 1 and 2, 3 and 4, 5 and 6You can reduce the number of grades to 4 if you care about security only,but it's probably not a wise thing to do, because too many securityinitiatives are stopped because of poor perfromance. Example old DHEitself vs. RSA. 14. PFSTestingI've selected 10 companies in each of the following industries: Manufactoring Finance Government InfoSec Defense Health Internet Electronics Education Software 15. PFSTesting How Just googled them, e.g. top health probviders The biggest chellenge it was difficult to find SSL protected Websites inDefence everything is usually public at those :) Exception their job related portals Used a Python client with JSON configuration fileCode: 16. PFSTestingConfig"statfile":"statfile.html","ciphers":"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5","baseline_ciphers":"AES128-SHA:RC4-MD5:RC4-SHA:AES256-SHA:DES-CBC3-SHA","hosts":[{"host":"","port":443,"name":"Bank One","tag":"Finanace"},{"host":"","port":443,"name":"Bank Two","tag":"Finanace"},{"host":"","port":443,"name":"Bank Three","tag":"Finanace"},{"host":"","port":443,"name":"Bank Four","tag":"Finanace"}, 17. PFSTestingResults 18. PFSWinnersWinners: Internet InfoSec Defence EducationAt least one has PFS as preferred: Manufactoring Government HealthPFS not implemented as preferred: Finance Electronics SoftwareSome Thoughts: Finance organizations are usuallyvery good when it comes toprivacy or fraud, but do notadopt technology fast Internet companies might not bethat good in privacy, but arequick in picking up newtechnologies including security Education/Universities are similarwhen it comes to innovations InfoSec, Defence they ought toand could've been done evenbetter IMO 19. PFSTestingInternetDetails for Internet Companies No difference in handshake time from client point ov view All major Internet companies graded as 3 or 4 Everyone supports all versions of TLS Everyone uses the same fast preferred ECDHE cipherDisappointment: SSLv3 and TLSv1 support. I would love to see only TLSv1.2 20. Details for Finance Companies Too many companies (80%) don't support PFS at all (grade 7) Poor support for the newer TLS versions (1.1 and 1.2)PFSTestingFinance 21. PFSBrowserSupportWhat about browser's support for ECDHE?From Qualys Community Website 22. PFSConclusion There is no any reason why you can't move your servers to category#3 or #4 (there is a fallback on non PFS) To move them to the the categories #1 or #2 (there is no fallback onnon-PFS) a decision about not supporting legacy browsers should bemade. That decision would make a perfect sense since it'll improvethe overall security of web applications. Other factors to consider to make a decision about not supportinglegacy browsers: They are less secure You want to take the full advantage of HTML5 Upgrade to newer versions if usually freeJust Tell Them to Upgrade! No significant excuses have left. 23. ExceptionYou might need to go non-PFS for internalcommunications to collect/analyze trafficNetwork Traffic AnalyzerPFS DBNon-PFS Non-PFSWeb Servers App ServersNetwork Traffic Analyzer's Agent 24. PFSOne GradeOnlyEECCDDHHEENNoo FFaallllbbaacckkOOnnAAnnyytthhiinnggLLeessss PPeerrffeecctt 25. Q & AThanks for Coming!Oleg GrybSr. Manager, Security Engineering @ Samsung Strategy and Innovation CenterTwitter: @oleggryb