playback: a tls 1.3 story - def con con 26/def con 26... · 2020. 5. 16. · •tls 1.3 is awesome,...
TRANSCRIPT
![Page 1: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/1.jpg)
PLAYBACK: A TLS 1.3 STORY
![Page 2: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/2.jpg)
WHO ARE WE?
Alfonso García Alguacil Alejo Murillo Moya
![Page 3: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/3.jpg)
INTRODUCING TLS 1.3
The Good• KISS – Only 5 ciphers supported
![Page 4: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/4.jpg)
INTRODUCING TLS 1.3
The Good
• No vulnerable to the attacks impacting previous versions
![Page 5: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/5.jpg)
INTRODUCING TLS 1.3
The Good
• Welcome Forward Secrecy
![Page 6: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/6.jpg)
INTRODUCING TLS 1.3
The Good
• Formal security analysis performed to the protocol
![Page 7: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/7.jpg)
INTRODUCING TLS 1.3
The Bad• Protocol tainted due to “compatibility
issues” /
![Page 8: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/8.jpg)
INTRODUCING TLS 1.3
The Ugly• 0-RTT (this talk -)
![Page 9: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/9.jpg)
0-RTT: SPEED AT A COST
VS
![Page 10: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/10.jpg)
![Page 11: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/11.jpg)
Your browsers…
… and CDNs may already be supporting TLS 1.3 0-RTT!
… implementations …
BoringSSL
![Page 12: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/12.jpg)
TLS 1.3 HANDSHAKE
![Page 13: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/13.jpg)
TLS 1.3 HANDSHAKE
![Page 14: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/14.jpg)
TLS 1.3 HANDSHAKE
![Page 15: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/15.jpg)
TLS 1.3 HANDSHAKE
![Page 16: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/16.jpg)
TLS 1.3 0-RTT
![Page 17: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/17.jpg)
TLS 1.3 0-RTT
![Page 18: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/18.jpg)
TLS 1.3 0-RTT
![Page 19: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/19.jpg)
As you can see…
it may be possible to do REPLAY
REPLAY attacks!
REPLAYREPLAY
REPLAY
![Page 20: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/20.jpg)
TLS 1.3 0-RTT REPLAY
![Page 21: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/21.jpg)
TLS 1.3 0-RTT REPLAY
![Page 22: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/22.jpg)
TLS 1.3 0-RTT REPLAY
![Page 23: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/23.jpg)
TLS 1.3 0-RTT REPLAY
![Page 24: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/24.jpg)
TLS 1.3 0-RTT REPLAY
![Page 25: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/25.jpg)
ANTI-REPLAY PROTECTIONS
Single-Use Tickets
Single-Use Tickets
![Page 26: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/26.jpg)
ANTI-REPLAY PROTECTIONS
Single-Use Tickets
Single-Use Tickets
Client-Hello Recording
![Page 27: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/27.jpg)
ANTI-REPLAY PROTECTIONS
Single-Use Tickets
Single-Use Tickets
Client-Hello Recording“Freshness” checks
![Page 28: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/28.jpg)
ANTI-REPLAY PROTECTIONS
Single-Use Tickets
Single-Use Tickets
Client-Hello Recording“Freshness” checks
Application profiles
![Page 29: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/29.jpg)
ANTI-REPLAY PROTECTIONS
Application profiles
Single-Use Tickets
Single-Use Tickets
Client-Hello Recording“Freshness” checks
Separate API
![Page 30: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/30.jpg)
ANTI-REPLAY PROTECTIONS (JUL-2018)
Single-Use Tickets
0-RTT disabled by default
Single-UseTickets
Client-HelloRecording
ApplicationProfile
0-RTT not available
Different API for handling 0-RTT
Other protections
0-RTT only on “safe” methods
0-RTT only on “safe” methods, no params
BoringSSLPartial(HTTP Header)
n/a
n/a
n/a
n/a
n/a
n/a
![Page 31: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/31.jpg)
ANATOMY OF AN ATTACK
• Vantage point in the network
![Page 32: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/32.jpg)
ANATOMY OF AN ATTACK
• Browser and server with TLS 1.3 and 0-RTT enabled
![Page 33: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/33.jpg)
ANATOMY OF AN ATTACK
• GET not being a “safe method” (a.k.a. RFC meets reality)
![Page 34: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/34.jpg)
THE BROWSER BEHAVIOUR
• The browser decides when to send 0-RTT data, which reduces the window for attacks
![Page 35: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/35.jpg)
DEMO
![Page 36: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/36.jpg)
IMPROVING OUR ATTACK
• Could it be possible to control when to send 0-RTT data?
![Page 37: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/37.jpg)
IMPROVING OUR ATTACK
• Could it be possible to control when to send 0-RTT data?
YES!!!
![Page 38: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/38.jpg)
CONTROLLING THE BROWSER
![Page 39: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/39.jpg)
CONTROLLING THE BROWSER
![Page 40: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/40.jpg)
CONTROLLING THE BROWSER
![Page 41: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/41.jpg)
CONTROLLING THE BROWSER
![Page 42: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/42.jpg)
DEMO
![Page 43: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/43.jpg)
ANTI-REPLAY PROTECTIONS
Application profiles
Single-Use Tickets
Single-Use Tickets
Client-Hello Recording“Freshness” checks
Separate API
![Page 44: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/44.jpg)
IMPROVING OUR ATTACK (AGAIN)
• Imagine that somehow the TLS library and server actually perfectly prevent any replay attack on 0-RTT.
![Page 45: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/45.jpg)
IMPROVING OUR ATTACK (AGAIN)
• Could it be possible to do replay attacks?
![Page 46: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/46.jpg)
IMPROVING OUR ATTACK (AGAIN)
• Could it be possible to do replay attacks?
YES!!!
![Page 47: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/47.jpg)
UNIVERSAL REPLAY ATTACK
![Page 48: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/48.jpg)
UNIVERSAL REPLAY ATTACK
![Page 49: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/49.jpg)
UNIVERSAL REPLAY ATTACK
![Page 50: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/50.jpg)
UNIVERSAL REPLAY ATTACK
![Page 51: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/51.jpg)
UNIVERSAL REPLAY ATTACK
![Page 52: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/52.jpg)
UNIVERSAL REPLAY ATTACK
![Page 53: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/53.jpg)
UNIVERSAL REPLAY ATTACK
![Page 54: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/54.jpg)
UNIVERSAL REPLAY ATTACK
![Page 55: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/55.jpg)
DEMO
![Page 56: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/56.jpg)
TOOL: HIGH-LEVEL DESCRIPTION
• Assumes a vantage point in the network
• Provides creation of templates for encrypted traffic.
• Supports the two attacks described on this presentation.
• Available at https://github.com/portcullislabs/tlsplayback
![Page 57: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/57.jpg)
SIDE EFFECTS OF 0-RTT
• It is important to understand that 0-RTT creates a dependency between the application and the underlying TLS 1.3 protocol
• The application will need to be 0-RTT aware.
• Enabling 0-RTT could leave you application vulnerable to replay attacks
• Ultimately, the last line of defence would be the application itself.
![Page 58: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/58.jpg)
MITIGATIONS
• Disable 0-RTT
• Ensure that your application does not allow replays (e.g. strict CSRF). Ensure that REST services are developed properly
• Create an strict application profile after careful analysis
![Page 59: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/59.jpg)
KEY TAKEAWAYS
• TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used.
• Your application (not just webapps) needs to be 0-RTT-aware to prevent side effects
• You may need to change your application or server/CDN configuration to protect against replay attacks
![Page 60: PLAYBACK: A TLS 1.3 STORY - DEF CON CON 26/DEF CON 26... · 2020. 5. 16. · •TLS 1.3 is awesome, but could lead to a vulnerable application if 0-RTT is being used. •Your application](https://reader033.vdocuments.us/reader033/viewer/2022052804/6052b6e8ec91165d3254ec10/html5/thumbnails/60.jpg)
Thanks!