seven grades of perfect forward secrecy
DESCRIPTION
Read this is you want to know how perfection looks like in the world of TLS handshakes.TRANSCRIPT
![Page 1: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/1.jpg)
Seven Grades of Perfect Forward Secrecy 2014
Oleg Gryb@oleggryb
![Page 2: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/2.jpg)
What isPFS?
Session Key – one time symmetrickey used to encrypt all messagesin a session.
Long-term Keys – live longer than a session,can be used to derive Session Key. Idealisticallystored in an HSM appliance, but it varies.
PFS definition:
“long-term secret keying material does not compromise thesecrecy of the exchanged keys from earlier run” -
W. Diffie, P. Oorchot, M.Wiener: Authentication and Authenticated Key Exchanges, 1992
![Page 3: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/3.jpg)
WhyPFS?
Installing TCPDUMPon DD-WRT device:
Emtunc's Blog!
$0.01 per GB
![Page 4: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/4.jpg)
WhyPFS?
5% per month free
$0.01 per GB - extra
![Page 5: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/5.jpg)
Non PFSExample
● Session key is generated fromPremaster, random numbers 'a'and 'b'
● Premaster is encrypted with'long-term' server's key
● If 'long-term key is compromized,session key is compromized too.
![Page 6: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/6.jpg)
PFS: Diffie-Hellman
SrvKeyExchange will contain additional DHparams:
● p – big prime
● g – its primitive root.
●Ys=gamod p
ClientKeyExchange will contain ClientDiffieHellmanPublic instead ofRSA Premaster Secret:
● Yc=gbmod pWhere 'a' and 'b' random numbers picked up by Server and Client independently
Shared Secret=gabmod p=Ysbmod p=Ycamod p
∀ acoprime p∃k : gk≡a(mod p)
W. Diffie, M. Hellman: “New Direction in Cryptography”, 1976
RFC 5246
![Page 7: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/7.jpg)
OLD DH -Perf
Probem
From Vincent Bernat's SSL/TLS Blog
● At around 500 TPS responsetime for DH grows from10ms to 10s
● For traditional RSAevrything runs smoothlyuntil 2500 TPS
![Page 8: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/8.jpg)
DH withCurves
SrvKeyExchange will contain EC parameters
● It can be pre-defined named curve
● Or explicitly defined curve with all necessary params:
● p – big prime, which defines Fp
● ECurve (a, b) (y^2 = x^3 + ax + b)
● ECPoint – base point (G)
● order - order of G
● cofactor – order*cofactor = |E(Fp)|
ClientKeyExchange will contain ClientECDiffieHellmanPublic with:
Yc = bG
It also contain public ECDH server key:
Ys = aG
Shared Secret = abG = aYc = bYs
An Efficient Protocol for Authenticated Key Agreement, 1998
RFC4492
Where 'a' and 'b' random numebers picked up by Server and Client in dependantly and are less than 'order of G'
![Page 9: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/9.jpg)
OLD DHEvs. ECDHE
From Vincent Bernat's SSL/TLS Blog It's time for 1000 handshakes
● On server side DHE threetimes slower than RSA 2048
● For optimized ECDHE-64the overhead is 15% only
![Page 10: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/10.jpg)
TLSCheatsheet
TLS HandshakeAlgo
Public(*) paramsused for SessionKey Generation
Private(*) paramsused for SessionKey Generation
Long-term key(LTK) purpose
AttackComplexity
Speed
Classic(RFC5264)
● Random a,b● Public cert of LTK
● Premaster Secretsent encrypted withLTK's cert
● LTK
Authneticationand encryption
Same asattack onRSA/DSAbased PKI
StillFastest
DHE(RFC5264)
● p – big prime● g – its primitive root
Random, private a,b(a & b are never sent)
Authenticationonly
Same asdescretelogarithmproblem
Slow
ECDHE(RFC4492)
● p – big prime● G – base point● r – order of G● k – small cofactor:
kr=|E(Fp)|● a – curve's param ● b – curv'es param
Random, private a,b(a & b are never sent)
Authenticationonly
Same asdescreteloagrithmproblem
Almostthesame asclassicRSA
(*) Public means sent unencrypted, private – not sent or sent encrypted.
![Page 11: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/11.jpg)
PFSImplementations
As discussed, we three major options:
● No Diffie-Hellman
● Older Diffie-Hellman without curves (DHE)
● New Diffie-Hellman with curves (ECDHE)
Server can also:
● Have preferred ciphers that fall to one of the categories above
● It can support or not support newer and older DH protocols
![Page 12: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/12.jpg)
PFSGrades
Based on the discussed criteria we can come up with grades:
Supported Preferred Grade
PFS Only ECDHE 1
PFS Only DHE 2
PFS and non PFS ECDHE 3
PFS and non PFS DHE 4
DHE, ECDHE and non PFS Non PFS 5
DHE and non PFS Non PFS 6
PFS are not supported Non PFS (obviously) 7
![Page 13: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/13.jpg)
PFSGrades
Why preffered ciphers are important?
● Client can send a list of ciphers that it supports
● Server will always select a preferred, even if client has
a better cipher in the list
Why ECDHE vs DHE is important?
● Because of perfromance (see slides 7 and 9)
● If we don't care about perfromance, we could consider the followinggrades equivalent: 1 and 2, 3 and 4, 5 and 6
You can reduce the number of grades to 4 if you care about security only,but it's probably not a wise thing to do, because too many securityinitiatives are stopped because of “poor perfromance”. Example – old DHEitself vs. RSA.
![Page 14: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/14.jpg)
PFSTesting
I've selected 10 companies in each of the following industries:
● Manufactoring
● Finance
● Government
● InfoSec
● Defense
● Health
● Internet
● Electronics
● Education
● Software
![Page 15: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/15.jpg)
PFSTesting
● How – Just googled them, e.g. “top health probviders”
● The biggest chellenge – it was difficult to find SSL protected Websites inDefence – everything is usually public at those :)
● Exception – their job related portals
● Used a Python client with JSON configuration file
Code: sf.net/projects/pfschecker
![Page 16: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/16.jpg)
PFSTestingConfig
"statfile":"statfile.html",
"ciphers":"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5",
"baseline_ciphers":"AES128-SHA:RC4-MD5:RC4-SHA:AES256-SHA:DES-CBC3-SHA",
"hosts":[
{"host":"www.bank1.com","port":443,"name":"Bank One","tag":"Finanace"},
{"host":"www.bank2.com","port":443,"name":"Bank Two","tag":"Finanace"},
{"host":"www.bank3.com","port":443,"name":"Bank Three","tag":"Finanace"},
{"host":"www.bank4.com","port":443,"name":"Bank Four","tag":"Finanace"},
![Page 17: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/17.jpg)
PFSTestingResults
![Page 18: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/18.jpg)
PFSWinners
Winners:
● Internet
● InfoSec
● Defence
● Education
At least one has PFS as preferred:
● Manufactoring
● Government
● Health
PFS not implemented as preferred:
● Finance
● Electronics
● Software
Some Thoughts:
● Finance organizations are usuallyvery good when it comes toprivacy or fraud, but do notadopt technology fast
● Internet companies might not bethat good in privacy, but arequick in picking up newtechnologies including security
● Education/Universities are similarwhen it comes to innovations
● InfoSec, Defence – they ought toand could've been done evenbetter IMO
![Page 19: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/19.jpg)
PFSTestingInternet
Details for Internet Companies
● No difference in handshake time from client point ov view
● All major Internet companies graded as 3 or 4
● Everyone supports all versions of TLS
● Everyone uses the same fast preferred ECDHE cipher
Disappointment:
● SSLv3 and TLSv1 support. I would love to see only TLSv1.2
![Page 20: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/20.jpg)
Details for Finance Companies
● Too many companies (80%) don't support PFS at all (grade 7)
● Poor support for the newer TLS versions (1.1 and 1.2)
PFSTestingFinance
![Page 21: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/21.jpg)
PFSBrowserSupport
What about browser's support for ECDHE?
From Qualys Community Website
![Page 22: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/22.jpg)
PFSConclusion
● There is no any reason why you can't move your servers to category#3 or #4 (there is a fallback on non PFS)
● To move them to the the categories #1 or #2 (there is no fallback onnon-PFS) a decision about not supporting legacy browsers should bemade. That decision would make a perfect sense since it'll improvethe overall security of web applications.
● Other factors to consider to make a decision about not supporting“legacy browsers”:
– They are less secure
– You want to take the full advantage of HTML5
– Upgrade to newer versions if usually free
Just Tell Them to Upgrade! No significant excuses have left.
![Page 23: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/23.jpg)
ExceptionNetwork Traffic Analyzer
Web Servers App Servers
DBPFSNon-PFSNon-PFS
Network Traffic Analyzer's Agent
You might need to go non-PFS for internalcommunications to collect/analyze traffic
![Page 24: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/24.jpg)
PFSOne Grade
OnlyECDHEECDHE
No FallbackNo Fallback
OnOn
AnythingAnything
Less PerfectLess Perfect
![Page 25: Seven Grades of Perfect Forward Secrecy](https://reader033.vdocuments.us/reader033/viewer/2022060118/558a5479d8b42a851e8b461b/html5/thumbnails/25.jpg)
Q & A
Thanks for Coming!
Oleg Gryb
Sr. Manager, Security Engineering @ Samsung Strategy and Innovation Center
Twitter: @oleggryb