Lets talk about TLS 1.3

1. Lets talk TLS 1.3
Huzaifa Sidhpurwala
Red Hat Product Security Team

2. We are going to talk about:
●
What is SSL/TLS and why is it so important?
●
Security flaws affecting older versions of
SSL/TLS
●
What is new in TLS 1.3 (security, performance)
●
Implementations

3. What is SSL/TLS a.k.a why do I
care?
●
Most used protocol on the internet.
●
Currently all protocols are wrapped in SSL/TLS
to secure them on internet.
●
Most flaws found with SSL/TLS, higher attack
surface.
●
Most implemented protocol on the internet:
OpenSSL, NSS, GnuTLS, java etc

4. Heartbleed
●
First of its kind!
●
Implementation flaw in heartbeat extension in
OpenSSL
●
Lead researchers to look deeper in SSL/TLS
code.

5. LUCKY-13
●
Timing attack against CBC
●
Known previously, but this time they found a
novel way to exploit it.
●
All open source SSL/TLS code was found to be
vulnerable.

6. BEAST
●
Affects TLS 1.0 and earlier.
●
Purely a client-side flaw, normally affects
browsers with malicious extensions.
●
Can be used to predict plain text.

7. TLS 1.3 ?
●
There were others as well...
– CRIME
– POODLE
– SWEET-32

8. TLS 1.3 ?
●
We need a new protocol designed from ground
up with security in mind, rather than older
“patched” versions.

9. TLS 1.3 ?
●
Improvement in two major fields
– Performance (with security in mind)
– Security

10. TLS 1.3 performance
●
Faster handshakes
1
2
3
4

11. TLS 1.3 performance
●
TLS 1.3 handshake:
1
2
3
4

12. Session resumption with TLS
●
Session identifiers:
– Servers keep track of sessions via session ids.
Client re-connects with session id to resume the
session.
●
Session tickets:
– After handshake, a session ticket (blob of session
key + associated data) encrypted with server key is
sent to be stored with the client.
– On resumption client presents this to the server.

13. Session resumption in TLS 1.3
●
Both of the previous methods are not obsolete.
●
Replaced by PSK mode in TLS 1.3
●
“The idea is that after a session is established, the
client and server can derive a shared secret called
the “resumption master secret”. This can either be
stored on the server with an id (session id style) or
encrypted by a key known only to the server (session
ticket style). This session ticket is sent to the client
and redeemed when resuming a connection.”

14. TLS 1.3 performance
●
Faster Session Resumptions
1
2
3
4

15. TLS 1.3 security
●
Remove old and obsolete crypto
– RSA
– RC4, SHA1, MD5 (sloth)
– CBC (lucky-13, poodle)
– No compression (crime)
– Remove PKCS #1 v1.5

16. TLS 1.3 security
●
Add new crypto features
– Anti-downgrade feature.
– New session resumption features
– New ECC curves
– Privacy of certs during handshakes
– ChaCha20/Poly1305

17. Implementations
●
OpenSSL: OpenSSL-1.1.1 includes TLS 1.3
support.
●
NSS 3.39 contains support for the final version
of TLS 1.3
●
GnuTLS: 3.6.5 contains support for TLS 1.3

18. References:
●
https://www.ietf.org/blog/tls13/
●
https://www.openssl.org/blog/blog/2017/05/04/
tlsv1.3/
●
https://nikmav.blogspot.com/2018/05/gnutls-
and-tls-13.html
●
https://access.redhat.com/blogs/766093/posts/2
975791
●
https://access.redhat.com/blogs/766093/posts/2
978671

19. Email: huzaifas@redhat.com
Questions?