seven grades of perfect forward secrecy
DESCRIPTION
Read this is you want to know how perfection looks like in the world of TLS handshakes.TRANSCRIPT
Seven Grades of Perfect Forward Secrecy 2014
Oleg Gryb@oleggryb
What isPFS?
Session Key – one time symmetrickey used to encrypt all messagesin a session.
Long-term Keys – live longer than a session,can be used to derive Session Key. Idealisticallystored in an HSM appliance, but it varies.
PFS definition:
“long-term secret keying material does not compromise thesecrecy of the exchanged keys from earlier run” -
W. Diffie, P. Oorchot, M.Wiener: Authentication and Authenticated Key Exchanges, 1992
WhyPFS?
Installing TCPDUMPon DD-WRT device:
Emtunc's Blog!
$0.01 per GB
WhyPFS?
5% per month free
$0.01 per GB - extra
Non PFSExample
● Session key is generated fromPremaster, random numbers 'a'and 'b'
● Premaster is encrypted with'long-term' server's key
● If 'long-term key is compromized,session key is compromized too.
PFS: Diffie-Hellman
SrvKeyExchange will contain additional DHparams:
● p – big prime
● g – its primitive root.
●Ys=gamod p
ClientKeyExchange will contain ClientDiffieHellmanPublic instead ofRSA Premaster Secret:
● Yc=gbmod pWhere 'a' and 'b' random numbers picked up by Server and Client independently
Shared Secret=gabmod p=Ysbmod p=Ycamod p
∀ acoprime p∃k : gk≡a(mod p)
W. Diffie, M. Hellman: “New Direction in Cryptography”, 1976
RFC 5246
OLD DH -Perf
Probem
From Vincent Bernat's SSL/TLS Blog
● At around 500 TPS responsetime for DH grows from10ms to 10s
● For traditional RSAevrything runs smoothlyuntil 2500 TPS
DH withCurves
SrvKeyExchange will contain EC parameters
● It can be pre-defined named curve
● Or explicitly defined curve with all necessary params:
● p – big prime, which defines Fp
● ECurve (a, b) (y^2 = x^3 + ax + b)
● ECPoint – base point (G)
● order - order of G
● cofactor – order*cofactor = |E(Fp)|
ClientKeyExchange will contain ClientECDiffieHellmanPublic with:
Yc = bG
It also contain public ECDH server key:
Ys = aG
Shared Secret = abG = aYc = bYs
An Efficient Protocol for Authenticated Key Agreement, 1998
RFC4492
Where 'a' and 'b' random numebers picked up by Server and Client in dependantly and are less than 'order of G'
OLD DHEvs. ECDHE
From Vincent Bernat's SSL/TLS Blog It's time for 1000 handshakes
● On server side DHE threetimes slower than RSA 2048
● For optimized ECDHE-64the overhead is 15% only
TLSCheatsheet
TLS HandshakeAlgo
Public(*) paramsused for SessionKey Generation
Private(*) paramsused for SessionKey Generation
Long-term key(LTK) purpose
AttackComplexity
Speed
Classic(RFC5264)
● Random a,b● Public cert of LTK
● Premaster Secretsent encrypted withLTK's cert
● LTK
Authneticationand encryption
Same asattack onRSA/DSAbased PKI
StillFastest
DHE(RFC5264)
● p – big prime● g – its primitive root
Random, private a,b(a & b are never sent)
Authenticationonly
Same asdescretelogarithmproblem
Slow
ECDHE(RFC4492)
● p – big prime● G – base point● r – order of G● k – small cofactor:
kr=|E(Fp)|● a – curve's param ● b – curv'es param
Random, private a,b(a & b are never sent)
Authenticationonly
Same asdescreteloagrithmproblem
Almostthesame asclassicRSA
(*) Public means sent unencrypted, private – not sent or sent encrypted.
PFSImplementations
As discussed, we three major options:
● No Diffie-Hellman
● Older Diffie-Hellman without curves (DHE)
● New Diffie-Hellman with curves (ECDHE)
Server can also:
● Have preferred ciphers that fall to one of the categories above
● It can support or not support newer and older DH protocols
PFSGrades
Based on the discussed criteria we can come up with grades:
Supported Preferred Grade
PFS Only ECDHE 1
PFS Only DHE 2
PFS and non PFS ECDHE 3
PFS and non PFS DHE 4
DHE, ECDHE and non PFS Non PFS 5
DHE and non PFS Non PFS 6
PFS are not supported Non PFS (obviously) 7
PFSGrades
Why preffered ciphers are important?
● Client can send a list of ciphers that it supports
● Server will always select a preferred, even if client has
a better cipher in the list
Why ECDHE vs DHE is important?
● Because of perfromance (see slides 7 and 9)
● If we don't care about perfromance, we could consider the followinggrades equivalent: 1 and 2, 3 and 4, 5 and 6
You can reduce the number of grades to 4 if you care about security only,but it's probably not a wise thing to do, because too many securityinitiatives are stopped because of “poor perfromance”. Example – old DHEitself vs. RSA.
PFSTesting
I've selected 10 companies in each of the following industries:
● Manufactoring
● Finance
● Government
● InfoSec
● Defense
● Health
● Internet
● Electronics
● Education
● Software
PFSTesting
● How – Just googled them, e.g. “top health probviders”
● The biggest chellenge – it was difficult to find SSL protected Websites inDefence – everything is usually public at those :)
● Exception – their job related portals
● Used a Python client with JSON configuration file
Code: sf.net/projects/pfschecker
PFSTestingConfig
"statfile":"statfile.html",
"ciphers":"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5",
"baseline_ciphers":"AES128-SHA:RC4-MD5:RC4-SHA:AES256-SHA:DES-CBC3-SHA",
"hosts":[
{"host":"www.bank1.com","port":443,"name":"Bank One","tag":"Finanace"},
{"host":"www.bank2.com","port":443,"name":"Bank Two","tag":"Finanace"},
{"host":"www.bank3.com","port":443,"name":"Bank Three","tag":"Finanace"},
{"host":"www.bank4.com","port":443,"name":"Bank Four","tag":"Finanace"},
PFSTestingResults
PFSWinners
Winners:
● Internet
● InfoSec
● Defence
● Education
At least one has PFS as preferred:
● Manufactoring
● Government
● Health
PFS not implemented as preferred:
● Finance
● Electronics
● Software
Some Thoughts:
● Finance organizations are usuallyvery good when it comes toprivacy or fraud, but do notadopt technology fast
● Internet companies might not bethat good in privacy, but arequick in picking up newtechnologies including security
● Education/Universities are similarwhen it comes to innovations
● InfoSec, Defence – they ought toand could've been done evenbetter IMO
PFSTestingInternet
Details for Internet Companies
● No difference in handshake time from client point ov view
● All major Internet companies graded as 3 or 4
● Everyone supports all versions of TLS
● Everyone uses the same fast preferred ECDHE cipher
Disappointment:
● SSLv3 and TLSv1 support. I would love to see only TLSv1.2
Details for Finance Companies
● Too many companies (80%) don't support PFS at all (grade 7)
● Poor support for the newer TLS versions (1.1 and 1.2)
PFSTestingFinance
PFSBrowserSupport
What about browser's support for ECDHE?
From Qualys Community Website
PFSConclusion
● There is no any reason why you can't move your servers to category#3 or #4 (there is a fallback on non PFS)
● To move them to the the categories #1 or #2 (there is no fallback onnon-PFS) a decision about not supporting legacy browsers should bemade. That decision would make a perfect sense since it'll improvethe overall security of web applications.
● Other factors to consider to make a decision about not supporting“legacy browsers”:
– They are less secure
– You want to take the full advantage of HTML5
– Upgrade to newer versions if usually free
Just Tell Them to Upgrade! No significant excuses have left.
ExceptionNetwork Traffic Analyzer
Web Servers App Servers
DBPFSNon-PFSNon-PFS
Network Traffic Analyzer's Agent
You might need to go non-PFS for internalcommunications to collect/analyze traffic
PFSOne Grade
OnlyECDHEECDHE
No FallbackNo Fallback
OnOn
AnythingAnything
Less PerfectLess Perfect
Q & A
Thanks for Coming!
Oleg Gryb
Sr. Manager, Security Engineering @ Samsung Strategy and Innovation Center
Twitter: @oleggryb