securing your apis against the recent vulnerabilities in sslv2/sslv3
TRANSCRIPT
akana
Securing your APIsagainst vulnerabilities in SSL
1
akana
• Ashish Vaid
• Director of Technology at Akana
• Follow us at @funnyenough & @AkanaInc
• #TLSWithAkana
• Slides & Webinar at: http://resource.akana.com
2
akana
Agenda• API Security
• Overview
• Certificates
• Handshake
• Cipher Suites
• Tools - Discovering vulnerabilities
• Best Practices Recap
3
akana
APIs
4
akana
API Security• OAuth 2.0
• OpenID Connect
• SAML Web SSO
• Attribute-based Access Control
• Data Privacy
TLS5
akana
Known Vulnerabilities• Heartbleed
• POODLE
• BEAST
• CRIME
• FREAK
• Renegotiation attacks
• Lucky 13
• BERserk
• RC4 attacks
• more…
6
akana
SSL/TLS Overview
• SSL v1 - mid-1990s by Netscape
• TLS v1 = SSL 3.1 by IETF - built on SSL
• Primary use
• Authentication
• Confidentiality
7
akana
Authentication• Process by which you verify that someone is who they claim
they are
• Client authenticates the Server credentials
• API Endpoint Server proves its identity to clients by sharing a Certificate
• Domain Name
• Public Key (portion of the Public-Private Key Pair)
• Authentication relies on Signature Verification8
akana
Keys in Certificates• RSA
• Public Key - Product of 2 primes + a number
• Private Key - a related number
• It is all about key-size and time & resources - RSA larger keys
• Larger keys = Slower Operation
• ECC - Elliptic Curve Cryptography
• Public Key - is an equation for an elliptic curve + a point on the curve
• Private Key - is a number
• ECDSA (Elliptic Curve Digital Signature Algorithm)
• Bitcoin, Apple iMessage, etc.
• Prefer ECC over RSA
• RSA - use keys > 2048 bits
9
akana
Confidentiality
• Symmetric keys based encryption
• Session Key - single use symmetric key; secret key
• Cipher - is an algorithm for performing encryption and decryption
• Confidentiality of a session is determined by the choice and size of the Cipher!
10
akana
Handshake
11
Client Server
hello, versions, client random & supported ciphers
hello, server random & public key certificate
encrypted premaster secret using the server public key
calculate session key
using session key - encrypt payload
akana
Handshake• RSA - asymmetric keys
• Single Operation - RSA
• Faster
• Diffie-Hellman - public key exchange
• Two Operations: DH/DHE/ECHDE + RSA/DSA/ECDSA
• Perfect Forward Secrecy - DHE/ECDHE
• Two Operations with ECC can be as fast as Single Operation RSA
12
akana
Ciphers• Block Ciphers (Fixed Size)
• AES - Advanced Encryption Standard
• 3DES - Triple Data Encryption Standard
• Operation Modes
• GCM - Galois/Counter Mode
• CBC - Cipher Block Chaining
• Stream Cipher (Continuous Stream of Symbols)
• RC4 - Rivest Cipher 4
• Block Ciphers in Stream mode
akana
Cipher Suites
• Key establishment
• Authentication - Signature Algorithm
• Confidentiality - Cipher - Encryption/Decryption
• Integrity - Digest
akana
Cipher Suite - Example
• AES128-SHA
• Key Establishment: RSA
• Authentication: RSA
• Confidentiality: AES128 bit w/ CBC
• Integrity: SHA-1
15
akana
Cipher Suite - Example
• AES256-GCM-SHA384
• Key Establishment: RSA
• Authentication: RSA
• Confidentiality: AES 256 bits w/ GCM
• Integrity: SHA-2 384 bits
akana
Cipher Suite - Example
• ECDHE-ECDSA-AES256-GCM-SHA384
• Key Establishment: ECDHE (Elliptic Curve DH Ephemeral)
• Authentication: ECDSA (Elliptic Curve DSA)
• Confidentiality: AES 256-bit w/ GCM
• Integrity: SHA-2 384 bit ✅
akana
Downgrades• For interoperability with legacy servers TLS client will
intentionally reconnect with a downgraded protocol
• Downgrades are undesirable - may indicate an downgrade attack
• SCSV - Signaling Cipher Suite Value can be employed to prevent unintended protocol downgrades (MITM attacks/POODLE)
• TLS_FALLBACK_SCSV is a fake* Cipher Suite client sends during ClientHello
• Enable support TLS_FALLBACK_SCSV
18
akana
Tools/Resources
• Qualys SSL Lab (www.ssllabs.com)
• SSLScan (brew install sslscan)
• OWASP (www.owasp.org)
• CipherList (www.cipherli.st)
• Wikipedia (http://en.wikipedia.org/wiki/Transport_Layer_Security)
19
akana
20
akana
21
akana
SSLScanTesting SSL server api.stripe.com on port 443
Supported Server Cipher(s): Rejected N/A SSLv2 168 bits DES-CBC3-MD5 Rejected N/A SSLv2 56 bits DES-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected N/A SSLv2 128 bits RC2-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC4-MD5 Rejected N/A SSLv2 128 bits RC4-MD5 Rejected N/A SSLv3 128 bits ADH-SEED-SHA Rejected N/A SSLv3 128 bits DHE-RSA-SEED-SHA Rejected N/A SSLv3 128 bits DHE-DSS-SEED-SHA Rejected N/A SSLv3 128 bits SEED-SHA Rejected N/A SSLv3 256 bits ADH-AES256-SHA Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Rejected N/A SSLv3 256 bits DHE-DSS-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Rejected N/A SSLv3 128 bits ADH-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Rejected N/A SSLv3 128 bits DHE-DSS-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Rejected N/A SSLv3 168 bits ADH-DES-CBC3-SHA Rejected N/A SSLv3 56 bits ADH-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A SSLv3 128 bits ADH-RC4-MD5 Rejected N/A SSLv3 40 bits EXP-ADH-RC4-MD5 Rejected N/A SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Rejected N/A SSLv3 56 bits DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-RC2-CBC-MD5 Accepted SSLv3 128 bits RC4-SHA Rejected N/A SSLv3 128 bits RC4-MD5 Rejected N/A SSLv3 40 bits EXP-RC4-MD5 Rejected N/A SSLv3 0 bits NULL-SHA Rejected N/A SSLv3 0 bits NULL-MD5 Rejected N/A TLSv1 128 bits ADH-SEED-SHA Rejected N/A TLSv1 128 bits DHE-RSA-SEED-SHA Rejected N/A TLSv1 128 bits DHE-DSS-SEED-SHA Rejected N/A TLSv1 128 bits SEED-SHA
Rejected N/A TLSv1 256 bits ADH-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Rejected N/A TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Rejected N/A TLSv1 128 bits ADH-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Rejected N/A TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected N/A TLSv1 168 bits ADH-DES-CBC3-SHA Rejected N/A TLSv1 56 bits ADH-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A TLSv1 128 bits ADH-RC4-MD5 Rejected N/A TLSv1 40 bits EXP-ADH-RC4-MD5 Rejected N/A TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Rejected N/A TLSv1 56 bits DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Rejected N/A TLSv1 128 bits RC4-MD5 Rejected N/A TLSv1 40 bits EXP-RC4-MD5 Rejected N/A TLSv1 0 bits NULL-SHA Rejected N/A TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s): SSLv3 128 bits DHE-RSA-AES128-SHA TLSv1 128 bits DHE-RSA-AES128-SHA
22
akana
Best Practices Recap• Protocols
• Prefer use of TLS 1.2 over TLS 1.1 and TLS 1.0
• Disable SSL 1.0, 2.0, 3.0
• Prefer ECC over RSA Public-Private Key Pair in Certificates
• Prefer > 2048 bits when using RSA Public-Private Key Pair in Certificates
• Prefer Perfect Forward Secrecy
• Use DHE or ECDHE
• Prefer GCM over CBC Cipher Suites
• Disable RC4, NULL, eNULL & aNULL
• Disable EXPort-Level Ciphers*
• Prefer SHA2 over SHA1 for Digest
• Disable MD5
• Enable TLS_FALLBACK_SCSV
23
akana
Summary
• Cryptography is hard to implement correctly
• Today’s Best Practices will be tomorrow’s NO-NO
• How do you keep up-to-date on latest vulnerabilities?
• And recommendations?
• Most of our customers rely on us up-to-date & tested policies
24
akana
• Follow us at @AkanaInc
• Additional Conversation: #TLSWithAkana
• White-papers & Webinars: http://resource.akana.com