<i>35C3 preroll music</i>

Herald-Angel: All right. Now it's my very
big pleasure to introduce Hanno Böck to

you. He's no stranger to the Chaos crowd.
He's been to several Easterheggs and at

several other Chaos events. Today he's
here to talk about TLS 1.3, what it's all

about how it came to be and what the
future of it is gonna look like. Please

give a huge applause and welcome Hanno.
hanno: Yeah. Okay. So today I want to talk

to you about a new version of TLS. TLS is
this protocol, Transport Layer Security,

which I hope everyone knows what it is.
It's a protocol that you can put on top of

other protocols that gives us an encrypted
and authenticated channel through the

generally insecure internet. We have a new
version since August, TLS 1.3. At first

I'd like to go a bit into the history of why we
have this new version, how we got there

and what design decisions were made for
this version. So the very first version of

SSL which it was called back then was
released in 1995 by Netscape and it was

quickly followed up with version 3 which
is still very similar to the TLS 1.2 that

we mostly use today. And then in 1999 it
was kind of taken over from Netscape to

the IETF, which is the Internet
standardization organization, and they

renamed it to TLS. And so that's kind of
the history. We had SSL and I've marked it

in red because these two versions are
broken by design. You cannot really use

them in a way that is secure these days
because we know vulnerabilities that are

part of the protocol. And then we had, in
1999 it was renamed to TLS, and TLS is

kind of still kind of OK if you do
everything right. But that's really

tricky. So it's kind of a dangerous
protocol but maybe not totally broken.

Same with TLS 1.1. TLS 1.2 is what we
still mostly use today and TLS 1.3 is the

new one and what you can see here for
example is that the the biggest gap here

is between 1.2 and 1.3, so it was a very
long time where we had no new development

here. You probably heard that we had
plenty of vulnerabilities in TLS, around

TLS and also these days, a good
vulnerability always has a logo and a nice

name. And I want to go into one
vulnerability which doesn't have a logo.

Not one of the variants. I was very
surprised when I realized that. That's the

so-called Padding Oracles. They are in CBC
mode which is the encryption we use for

the actual data encryption, the symmetric
data encryption. The thing is, when we

encrypt data what we usually use are so-
called block ciphers and they encrypt one

block off a specific size of data. It's
usually sixteen bytes and this CBC mode

was the common way to encrypt in past TLS
versions. And this is roughly how it looks

like. So we have some initialization
vector which should be random, but wasn't

always, but that's another story. And then
we encrypt a block of data and then we XOR

that encryption into the next plain text
and encrypt it again. Now one thing here

is that because these are blocks of data
and our data may not always be in sixteen

byte blocks it may just be five bytes or
whatever, we need to fill up that space.

So we need some kind of padding. In TLS,
what was done was that first of all we had

some data. Then we added a MAC, which is
something that guarantees the correctness

of the data, the authentication of the
data. And then we pad it up to a block

size and then we encrypt it. And this
order of things turned out to be very

problematic. So this padding is a very
simple method. If we have one byte to fill

up we make a 00. If we have two bytes to
fill up well you make 0101, three bytes

020202 and so on. So that's easy to
understand, right? Let's for a moment

assume a situation where an attacker can
manipulate data and can see whether the

server receives a bad padding or whether
it receives bad data, where this MAC check

goes wrong. And here is the decryption
with CBC mode. And what an attacker can do

here: the first thing the attacker does,
it throws one block away at the end, it

just blocks the transmission of that block
and then it changes something here. So

what we assume here is the attacker wants
to know this decrypted byte because it may

contain some interesting data. So what he
can do is he can manipulate this byte with

a guess and a byte is only 256 values a
byte can have. So he can guess enough

times and XOR it with this value. And if
you think about it if we XOR it here with

the plaintext. That means if we end up
with this zero here then the padding is

valid. If we end up with some garbage
value here, then the padding is probably

invalid. So by making enough guesses the
attacker can decrypt a byte here under the

condition that he learns somehow whether
the padding is valid or not. So he could

decrypt one byte but he can't go on. Let's
assume we will learn that one byte we have

decrypted it and then we can go on with
the next byte. So we XOR this byte on the

right with the guess with what we already
know that it is and with the one and. Then

we XOR this next byte with our guess and
also a one. And if this ends up being 0101

then again we have a valid padding. So the
attacker learns the next byte and he can

do this for other bytes. This was
originally discovered in 2002 by Sergey

Vaudenay. But it was kind of only
theoretical. So one thing here is that TLS

has these error messages. There are
different kinds of errors. And if you read

through the TLS 1.0 standard, if the
padding is wrong then you get this

decryption_failed error. And if the MAC is
wrong, so the data has some modification,

then you get this bad_record_mac error. So
you could say this would allow this

Padding Oracle attack because there are
these error messages. But the attacker

cannot see them because they are
encrypted. So this was kind of only a

theoretical attack which didn't really
work on a real TLS connection. But then

there was a later paper which made this
attack practical by measuring the timing

difference from these different kinds of
errors. And this allowed a practical

decryption of TLS traffic. Then in later
versions of TLS this was fixed or kind of

fixed. But there is a warning in the
standard which says.. So this is right

from the standard text. "This leaves a
small timing channel but it is not

believed to be large enough to be
exploitable." If you read something like

that, it sounds maybe suspicious, maybe
dangerous. And actually in 2013 there was

these so-called Lucky Thirteen attack
where a team of researchers actually

managed to exploit that small timing side
channel that the designers of the standard

believed was not large enough to be
exploitable. It is in theory possible to

implement TLS in a way that it is safe
from this timing attacks. But it adds a

lot of complexity to the code. If you just
look at when Lucky Thirteen was fixed, it

just made the code much longer and much
harder to understand. Then there was

another Padding Oracle which was called
POODLE, which was in the old version

SSLv3. This was kind of by design. So the
protocol was built in a way that you could

not avoid this Padding Oracle. Then it
turned out that there was also a kind of

TLS variation of this POODLE attack. And
the reason here was that the only major

change between SSLv3 and TLS 1.0 was that
the padding was fixed to a specific value,

where in the past it could have any value.
It turned out that there were TLS

implementations that were not checking
that, enabling this poodle attack also in

TLS. Then there was the so-called Lucky
Microseconds attack which was basically

the.. one of the people who has found the
Lucky Thirteen attack looked at

implementations and saw if they have fixed
Lucky Thirteen properly. They looked at

s2n, which is an SSL library from Amazon
and they found: "Ok, they tried to make

countermeasures against this attack but
these countermeasures didn't really work

and they had still a timing attack that
they could perform." Then there was a bug

in OpenSSL which was kind of funny because
when OpenSSL tried to fix this Lucky

Thirteen attack, they introduced another
Padding Oracle attack which was actually

much easier to exploit. We had plenty of
Padding Oracles. But if you remember back

what I said, for the very first attack
that this didn't really work in practice

in TLS, because these errors are
encrypted. But theoretically you could

imagine that someone creates an
implementation that sends errors that are

not encrypted. For example you can send a
TCP error or just cut the connection or

have any kind of different behavior
because the whole attack just relies on

the fact that you can distinguish these
two kinds of errors. You can find

implementations out there doing that. So
yeah, Padding Oracle is still an issue.

Then I want to look at another attack
which is a so-called Bleichenbacher

attacks and they target the RSA encryption
and that is kind of the asymmetric

encryption which we use at the beginning
of a connection to establish a shared key.

This attack was found in 1998 by Daniel
Bleichenbacher. If you look at the RSA

encryption before we encrypt something
with RSA, we do some preparations. The way

this is done and in all TLS versions is
these so-called PKCS #1 1.5 standard. How

this looks is: it starts with the 00 02.
Then we have some random data which is

just again a padding to fill up space.
Then we have zero which marks the end of

the pending. Then we have a version number
03 03, which stands for TLS 1.2. It's

totally obvious right. I'll get two
version numbers later. And then we have

the secret data. But the relevant thing
for this attack is mostly this 00 02 at

the beginning. So we know each correct
encrypted block, if we decrypt it, it

starts with 00 02. We may wonder if we
implement a TLS server and it decrypts

some data from the client and then it
doesn't start with 00 02: what shall I do?

And the naive thing would be: yeah of
course we just send an error message

because something is obviously wrong here.
Now this turns out to be not such a good

idea because if we do this we will tell
the attacker something. We will tell him

that the decrypted data does not start
with 00 02. So the attacker learned

something about the interval in which the
decrypted data is. Either it starts with

00 02 or it doesn't. And this turned out
to be enough to.. if you send enough

queries and modify the ciphertext you can
learn enough information to decrypt data.

The whole algorithm is a bit more
complicated but it's not that complicated.

It's relatively straightforward. It's a
bit of math and I didn't want to put in

any formulas but yeah. Now as I said it
was discovered in 1998. So TLS 1.0

introduced some countermeasures. The
general idea here is that if you decrypt

something and it is wrong then you're
supposed to replace it with a random value

and use that random value as your secret
and pretend nothing has happened and then

continue and then the handshake will fail
later on because you don't have the same

key. This prevents the attacker from
learning whether your data is valid or

not. In 2003 a research-team figured out
that the countermeasures how they were

described and TLS 1.0 were incomplete and
also not entirely, it was not entirely

clear how to implement them. Because
there's this version-thing and it was not

exactly described how to handle that. If
only the version is wrong. So they they

were able to make, to create an attack
that still worked despite this

countermeasures. So more countermeasures
were proposed and in 2014 there was a

paper that Java was still vulnerable to
Bleichenbacher-attacks in a special way

because they used some kind of decoding,
then raised an exception. And the

exception was long enough that you could
measure the timing difference. And there

was also still a small issue in OpenSSL
although that was not practically

exploitable. In 2016 there the so-called
drown-attack. And the drown-attack was a

Bleichenbacher-attack in SSL version 2.
Now you may wonder SSL-version 2 is this

very very old version from 1995. Is this a
problem? But it actually is because you

can use encrypted data from a modern TLS-
version, TLS 1.2, and and decrypt it with

a server that still supports SSL version
2. So that was the drown-attack. And then

last year I thought maybe someone should
check if there are still servers

vulvernable to these Bleichenbacher-
attacks. So I wrote a small scan tool and

started scanning, and scanned the Alexa
top-1000000. The first hit was

Facebook.com was vulnerable and it turned
out from the top-100 pages roughly 1/3

were vulnerable. And in the end we found
like 15 different implementations that

were vulnerable. Probably more but these
were the ones we know about. Yeah. And

just I think a month ago there was another
paper, that there also you can use cache-

sidechannels which is mostly interesting
if you have cloud-infrastructure where

multiple servers are running on the same
hardware, which you can also use to

perform these Bleichenbacher-attacks. Now
what I want to show you here: You cannot

read this because it's too small but this
is the chapters in the TLS-standard that

describe the countermeasures to these
Bleichenbacher-attacks. So we knew about

them since before TLS 1.2, so there was a
small chapter what you should do to

prevent these attacks. And then they
figured out: OK that's not enough. We need

to have more countermeasures, and even
more. So, what you can clearly see here is

it's getting more and more complicated to
prevent these attacks. So with every new

TLS-version we had more complexity to
prevent these Bleichenbacher-attacks.

These were just two examples. There were a
lot more attacks on TLS 1.2 and earlier

that were due to poor design choices. I've
named a few here: SLOTH, which was all

against weak caches, FREAK which can
attack issues in the handshake and

compatibility with old versions, SWEET32
which attacks some block-ciphers that have

a small blocksize, Triple-Handshake which
is a very complicated interaction of

different handshakes. The general trend
here was that in TLS 1.2 and earlier, if

there was a security bug, if there was a
vulnerability in the cryptography, what

people did was: We need a workaround for
the security issue. And then if this

workaround doesn't work it's not
sufficient. We need more workarounds. And

also we create more secure modes but we
still keep the old ones. And then people

can choose. We have this algorithm
agility. You can choose, there's the

secure algorithm, there's the less secure
algorithm. Take whatever you want. Which

in practice meant very often still the
insecure modes were used because like for

all of these things there were modes
available in TLS 1.2 that didn't have

these vulnerabilities. But they were
optional. But, and I think that is the

major change that came with TLS 1.3, was a
mindset-change that people said, okay if

something has vulnerabilities, if it's
insecure and if we have something better

then we just remove the thing that is
vulnerable, that is problematic. So the

main change in TLS 1.3 was that a lot of
things were deprecated. So we no longer

have these CBC-modes. We no longer have
our RC4 which is another cipher which was

problematic. We no longer have 3DES, which
has these small blocksizes. We still use

GCM but we no longer use it with an
explicit nonce, which also turned out to

be problematic. We completely remove RSA-
encryption. We still use RSA but only for

signatures. We remove hash-functions that
turned out to be insecure. We remove

Diffie-Hellman with custom parameters,
which was, yeah, which turned out to be

very problematic. And we removed ecliptic-
curves that kind of look not so secure.

But also there was something that some
academics looked at TLS with the more

scientific view. They tried to formally
understand the security protocol,

properties of this protocol and to analyze
them to see if they can proof some kind of

security properties of the protocol. And
many vulnerabilities that I mentioned

earlier were found by these researchers
trying to formally analyze the protocol.

But also these analyses have contributed
to design TLS 1.3 to make it more robust

to attacks. So this is, I think, also a
big change. There was a much better

collaboration between scientists who were
looking at the protocol and the people who

were actually writing the protocol. But
you may see, all the security is nice but

what we really care about or maybe some
people really care about is speech, right.

We want our internet to be fast. We want
to open our browser and immediately get

the page loaded. And TLS 1.3 also brings
improved speed. And I am showing here the

handshake. And this is very simplified. I
have kind of only added the things that

matter to make this point. But, if you
look at on the left, if we do a handshake

with an old TLS-version it starts that
this client sends a client-hello, and some

information, what version it supports,
what encryption modes it's supports. Then

the server sends back which encryption
modes it wants to use and a key

exchange. And then the client sends his
part of the key exchange. And the so-

called finished message and then the
server sends a finished message and then

the client can start sending data. In TLS
1.3 we have compressed this all a bit. The

client sends his client-hello and
immediately sends a key-exchange message.

And then the server answers with his key-
exchange message. And a few more things

that I left out for simplicity. But the
important thing is that with the second

message the client can already send data.
And this is the situation for a fresh

handshake. Like we have not communicated
before. I want to make a new connection to

a server and it goes one time back and
forth. And then I can send data. Which,

and in the earlier version I had two times
back and forth. So I can send data much

faster. So yeah, we remove one round-trip
from a fresh handshake. There's also

security improvements to this handshake.
So this is nice. We have more security and

more speed. And particularly we have
better security on so-called session-

resumption, which means we're reconnecting
using a key from a previous section. And

we also protect more data which may avoid
some attacks where an attacker may fiddle

with the handshake. These were more or
less theoretic attacks. But these are also

prevented in TLS 1.3. Yeah. So TLS has a
more secure and a faster handshake. And if

you want to have more details about this
handshake there was a talk two years ago

at this congress, which goes into this in
much more detail. So if this particularly

interests you you should watch that talk.
I've put a link here and I will put the

slides online. There's also something
called the zero-roundtrip-handshake. And

this is even faster. We can send data
right away. Now, how can we do that? This

is kind of cheating because what we need
here is we need to have a previous

connection. And then we have a key from a
previous connection, can create a new key

from that and use that to send data right
away. So yeah, we need a so-called

preshared-key which we have from previous
connection and then we can send data

without any roundtrips. So, even more
speed. That's nice, right. But this 0-RTT-

mode does not come for free. There is a
problem here with so-called replay-

attacks, which means an attacker could
record the data that we're sending and

then send it again. And the server may
think: Okay, now this request came twice.

So I'm doing twice what this request was
supposed to do. So there are some caveats

with 0-RTT and the standard says you
should only use if it's safe. It says

something like you should only use it if
you have a profile how to use it safely.

Now what does that mean? There, let's look
at https, the protocol we're using

usually. If you look into the HTTP-
standard it says something that a GET-

request has to be idempotent and a POST-
request does not have to be idempotent.

Now what does that mean? It more or less
means if you send a request twice it

shouldn't do anything different from just
sending it once. So in theory we could say

yes a GET-requests are idempotent - that
means they are safe for zero-roundtrip-

connections. The question is, "do web-
developers" ... Sorry.

<i>applause</i>
You can do a little experiment: If you

meet someone who is a web developer, ask
them if they know what idempotent means,

and when they can use idempotent requests
and when they cannot. So, in an ideal

situation where web-developers do know
that, we can use 0-RTT safely with TLS

1.3. 0-RTT also does not have a strong
forward secrecy as a normal handshake. So,

there's kind of a tradeoff here, because
this pre-shared key is encrypted with a

key on the server and if that key gets
compromised that may compromise our

connection even if the key is only leaked
later on. So, this looks a bit problematic

and many speculate that the future attacks
we'll see on TLS 1.3, that at least some

of them will focus on this 0-RTT mode,
because it looks like one of the more

fragile parts of the protocol. But it
gives us more speed., so people wanted to

have it. Maybe the good news is, this is
entirely optional; we don't have to use

it; and if we think this looks too
problematic, we can switch it off. So, if

it turns out that there are too many
attacks involving 0-RTT mode, we could

disable it again and use it without it. It
will still be faster, but not as fast as

it could be with this. Okay. Deployment:
Now, if we have this nice new protocol, we

not only have to make sure it's secure and
fast and everything, but we also have to

deploy it. And we have to deploy it on the
internet - on the real internet - like the

one we have out there, not some
theoretical internet where there are no

bugs and everyone knows how to implement
protocols, but the real internet with lots

of IoT devices and enterprise firewalls
and all these kinds of things. And now I

want to get back to this version number.
This may sound like a trivial thing, but

TLS 1.3 has a new version number for the
protocol version. Here's a Wireshark dump

from a TLS 1.3 handshake. And if you're
trying to look for the version number, you

will find multiple version numbers. And in
case you cannot see it, I have made it a

bit larger. So at the top you see
"Version: TLS 1.0", encoded as 0x0301.

Okay. That looks strange. Then, a few
lines later, you have "Version TLS: 1.2",

0x0303. But we thought this was TLS 1.3...
I mean it says here at the top but somehow

there are these other versions. And then
if you scroll further down, you will see

"Extension: supported_versions". And then
here it lists TLS 1.3, which is encoded as

0x0304. So, what's going on here? This
looks strange. So, the first thing to

realize is why do we encode these versions
in such a strange way; why are we not

using 0x0100 for TLS 1.0? It's TLS 1.0
came after SSL version 3, which kind of

makes it version 3.1; and that's how we
encode it. TLS 1.0 is really just SSL

version 3.1, TLS 1.1 is SSL version 3.2
and so on and for TLS 1.3, it's

complicated. So, the very first version
you saw earlier in this Wireshark dump was

the so-called record layer and this is
kind of a protocol inside the TLS protocol

which has its own version number, which is
totally meaningless but it's just there.

And it turned out, for compatibility
reasons, it's best to just let this on the

version of TLS 1.0 and then, we have the
least problems. And this is kind of...

this record layer protocol is kind of the
encoding of the TLS packages. Now, if we

have a new TLS version, we cannot just
tell everyone "tomorrow we will use TLS

1.3" and everyone has to update, because
we know many people won't. And so, we

somehow need to be able to deploy this new
version and still be compatible with

devices that only speak the old version.
So, let's assume we have a client that

supports TLS 1.2, and we have a server
that only supports TLS 1.0. How does that

work? That's an extremely complicated
mechanism here. So, the client connects

and says "Hello. I speak TLS 1.2". Server
says "Okay, I don't know TLS 1.2, but

what's the highest version I support?"
It's TLS 1.0, so he sents that back. And

then, they can speak TLS 1.0 and - in case
the client still supports that - and we

have a connection. This is very simple. I
would think so. So, to illustrate how you

would program something like that, you
would say "Yeah, if client_max_version is

smaller than than server_max_version, then
we use the client_max_version. Otherwise,

we use the server_max_version. So, you
would think that there's no way anyone

could possibly not get that right, right?
I mean, it's very simple. But I was saying

earlier, we were talking about the real
internet. So... And on the real internet,

we have enterprise products. In case you
don't know that, an enterprise product is

something that's very expensive and it's
buggy.

<i>Laughter</i><i>Applause</i>
hanno: So, yeah. We will have web pages

that run with firewalls from Cisco or we
will have people using IBM Domino web

server and all these kinds of things. And
this is the TLS version negotiation in the

enterprise edition. So a client says "Yeah
I want to connect with TLS 1.2" and the

server says "Oh I don't support this this
very new version. It's from 2008. I mean

that's 10 years in Enterprise years.
That's very long." So the server just

sends an error if the client connects with
the TLS version that it doesn't know. It

doesn't implement this version negotiation
correctly. And this is called version

intolerance. This has happened every time
there was a new TLS version. Every time we

had devices that had this problem. If we
tried to connect with the new TLS version

they would just fail. They would send an
error or they would just cut the

connection or have a timeout or crash. So
browsers needed to handle this somehow

because the problem here is, when a
browser introduces new TLS version and

everything breaks, then users will blame
the browser and then they will say "Yeah I

will no longer use this browser, I'll now
switch back to Internet Explorer" or

something like that. So browsers needed to
handle this somehow. What the browsers did

was "Okay, we try it with the latest TLS
version we support. And if we get an error

we try it again with one version lower.
And again one version lower and eventually

we may succeed to connect." So here we
have a browser and we have an enterprise

server that supports TLS 1.0 and we will
eventually get a connection. Do you

remember POODLE I mentioned earlier? There
was this padding oracle in SSLv3, which

was discovered in 2014. You may wonder
SSLv3 which is from 1996, that's really

old. Who uses that in 2014? It was
deprecated for 16 years. I mean who uses

that? Windows Phone 7 used it. On this
Nokia phones they also never got an

update. Normal browsers and servers at
least used TLS 1.0. They maybe didn't use

TLS 1.2, but they used TLS 1.0. But we
have these browsers that are trying to

reconnect if there's an error. And so what
an attacker could do is that the attacker

wants to exploit SSLv3. So he just blocks
all connections with the newer TLS version

and therefore forces the client to go into
SSLv3. And then he can exploit this attack

that only works on SSLv3. These downgrades
are causing security issues. What do we do

now? We could add another work workaround.
There was a standard called SCSV which

basically gives the server a way to tell
the client that it's not broken. It says

"hey, I have this kind of special cipher
suite" which tells the client "hey, if you

did these strange downgrades here, please
don't do that. I'm a well behaving

server." So we had a workaround for broken
servers and then we needed another

workaround for the security issues caused
by those workarounds. But at some points

even enterprise servers mostly had fixed
this version intolerance issues and

browsers stopped doing these downgrades.
Attacks like POODLE no longer worked.

However I just said they fixed it. No of
course they have not fixed it. I mean they

fixed it for TLS 1.2. But of course they
did not fix it for future TLS versions

because they were not around yet. This TLS
1.3, we would get version intolerance

again and breaking servers and would have
to introduce downgrades again and all the

nice security would not be very helpful.
The TLS working group realized that and

redesigned the handshake. It was
redesigned in a way that the old version

fields still said that we are connecting
with TLS 1.2 and then we introduce an

extension, supported_versions, which
signals the support for all the TLS

versions we can speak and which signals
support for TLS 1.3 and possibly for

future versions. Now at this point you may
wonder if we'll have version intolerance

with this new extension, once TLS 1.4 gets
out because the server may be implemented

that it sends an error if it sees an
unknown version in this new version

extension. David Benjamin from Google
thought about this and said "Yeah we have

to do something about that. We have to
improve the future compatibility for

future TLS versions." And he invented this
GREASE mechanism. The idea here is, a

server should just ignore unknown versions
in this extension. He gets a list of TLS

versions and if there's one in there that
he doesn't know about, he should just

ignore it and then connect with one of the
versions he knows about. So we could kind

of try to train servers to actually do
that. And the idea here is we're just

sending random bogus TLS versions that are
reserved values that will never be used

for a real TLS version. But we can just
randomly add them to this extension in

order to make sure that if a server
implements this incorrectly, they will

hopefully recognize that early because
there will be connection failures with

normal browsers. The hope here is if
enterprise vendors will implement a broken

version negotiation, they will hopefully
notice that before they ship the product

and then it can no longer be updated
because that's how the Internet works. So

we have this new version negotiation
mechanism we no longer need these

downgrades and we have this GREASE
mechanism to make it future proof. So now

we can ship TLS 1.3, right? Then there was
this middle box issue. Oh sorry, that's a

wrong year. It must be 2016, sorry. In
2016, in summer, TLS 1.3 was almost

finished. But then it took almost another
year till it got out. Oh sorry, I mixed up

the years. It's correct. In 2017, when TLS
1.3 was almost finished, but it took until

2018 until it was actually finished. The
reason for that was that when browser

vendors implemented a draft version of TLS
1.3, they noticed a lot of connection

failures. And the reason for these
connection failures turned out, were

devices that were trying to analyze the
traffic and trying to be smart. And they

thought "OK this is something that looks
very strange. It doesn't look like a TLS

package how we're used to it. So let's
just drop it, yeah?" So "Yeah, this is a

strange TLS package, I don't know what
to do with this, I'll drop it." These were

largely passive middle boxes. So we're not
talking about things like man in the

middle devices that are intercepting a TLS
connection but just something like a

router, where you would expect it just
forwards traffic. But it tries to be

smart, it tries to do advanced security
enterprise. I don't know. And they were

dropping traffic that looked like TLS 1.3
Then the browser vendors proposed some

changes to TLS 1.3 so it looks more like
TLS 1.2. The main thing was, they

introduced some bogus messages from TLS
1.2 that were supposed to be ignored. So

one such message is the so-called
ChangeCipherSpec message in TLS 1.2, which

originally didn't exist in 1.3 due to this
new handshake design. This message in 1.2,

it signals that everything from now on is
encrypted. The idea was "okay, if we sent

a bogus ChangeCipherSpec message early in
the handshake, then maybe this would

confuse those devices, thinking everything
after that is encrypted and they cannot

analyze it." And it turned out this
worked. A lot of this reduced the

connection failures a lot. There are a few
other things. And then eventually the

failure rates got low enough that browsers
thought "Okay, now we can deploy this."

There were a few more issues. This is a
Pixma printer from Canon. These things

have an HTTPS server. They have network
support. And we have to talk about these

people here. If you remember the Snowden
relations, one of the things that got

highlighted there was that there's a
random number generator called Dual EC

DRBG. And that has a backdoor and
basically these days everyone believes

this is a backdoor by the NSA and they
have some secret keys so they can predict

what random values this RNG will output.
Also what was in the Snowden documents was

that at some point the NSA offered 10
million dollars to RSA security, so they

implement this RNG. Then there was a
proposal, a draft, for a TLS extension,

called Extended Random, that adds some
extra random numbers to the TLS handshake.

Why? It wasn't really clear like it was
just "Yeah we can do this." It was just a

proposal. I mean everyone can write a
proposal for a new extension, it was never

finalized, but it was out there. And in
2014, a research team looked closer at

this Dual EC RNG and figured out that if
you use this ER extension then it's much

easier to exploit this backdoor in this
RNG. And coincidentally RSA's TLS library,

BSAFE, also contains support for that
extension. But it was switched off. They

didn't find any implementations that
actually used it. So it was thought of

"okay, this was no big deal, all right".
But actually it seems these these Canon

printers, they had enabled this extension.
They use this RSA BSAFE library and

enabled this ER extension, which was only
a draft. And so as ER was only a draft, it

had no official extension number. So such
a TLS extension has a number so that the

server knows what kind of extension this
is. And for this implementation they just

used the next available number. And it
turned out that this number collided with

one of the mandatory extensions that TLS
1.3 introduced. So these these Canon

printers could not interpret that new
extension. They thought this is this

Extended Random and it didn't make any
sense, and so you had connection failures.

In the TLS protocol they just gave this
extension a new number and then this no

longer happened. There were many more such
issues and they continue to show up. For

example recently, Java, which is like also
very popular in enterprise environments,

it now ships with TLS 1.3 support but it
doesn't really work. So you have

connection failures there. Now with all
these deployment issues, what about future

TLS versions? Will we have all that again?
And we have this GREASE mechanism and it

helps a bit like it prevents this version
intolerance issues but it doesn't prevent

these more complicated middle box issues.
There was a proposal from David Benjamin

from Google who said "Yeah, maybe we
should just, every few months, like every

two or three months, ship a new temporary
TLS version which we will use for three

months and then we will deprecate it again
to just constantly change the protocol so

that the Internet gets used to the fact
that new protocols get introduced."

<i>Laughter</i>
My prediction here is that these

deployment issues are going to get worse.
I mean, we know now that they exist and we

kind of have some ideas how to prevent
them, but if you go to enterprise security

conferences, you will know that the latest
trend in enterprise security is this thing

called artificial intelligence: We use
machine learning and fancy algorithms to

detect bad stuff. And that worries me. And
here's a blog post from Cisco, where they

want to use machine learning to detect bad
TLS traffic, because they see all this

traffic is encrypted and we can no longer
analyze it, we don't know if malware in

there, so let's use some machine learning;
it will detect bad traffic. So, what I'm

very worried that will happen here is that
the next generation of TLS deployment

issues will be AI-supported TLS
intolerance issues and it may be much

harder to fix and analyze. Speaking of
enterprise environments, one of the very

early changes in TLS 1.3 was that it
removed the RSA encryption handshake. One

reason was that it doesn't have forward
secrecy. The other was these, all these

Bleichenbacher attacks that I talked about
earlier. And then, there came an email to

the TLS working group from the banking
industry and I quote: "I recently learned

of a proposed change that would affect
many of my organization's member

institutions: the deprecation of the RSA
key exchange. Deprecation of the RSA key

exchange in TLS 1.3 will cause significant
problems for financial institutions,

almost all of whom are running TLS
internally and have significant, security-

critical investments in out-of-band TLS
decryption." What it basically means is,

they are using TLS for some connection;
they have some device in the middle that

is decrypting the traffic and analyzing it
somehow which - if they do it internally -

it's okay, but this no longer works with
TLS 1.3, because we always negotiate a new

key for each connection and it's no longer
possible to have the static decryption.

There was an answer from Kenny Patterson,
he's a professor from London, he said: "My

view concerning your request: no.
Rationale: We're trying to build a more

secure internet."
<i>Applause</i>

"You're a bit late to the party. We're
metaphorically speaking at the stage of

emptying the ash trays and hunting for the
not quite empty beer cans. More exactly,

we are at draft 15 and RSA key transport
disappeared from the spec about a dozen

drafts ago. I know the banking industry is
usually a bit slow off the mark, but this

takes the biscuit." Okay.
<i>Laughter</i>

There were several proposals then to add a
visibility mode to TLS 1.3, which would in

another way allow these connections that
could be passively observed and decrypted,

but they were all rejected and the general
opinion in the TLS working group was that

the goal of monitoring traffic content is
just fundamentally not the goal of TLS.

The goal of TLS is to have an encrypted
channel that no one else can read. The

industry eventually went to ETSI, which is
the European technology standardization

organization, and they recently published
something called Enterprise TLS...

<i>Laughter</i>
...which modifies TLS 1.3 in a way that it

would allow these decryptions. The IETF
protested against that and primarily

because of the... they used the name TLS,
because it sounds like this is some

addition to TLS or something, and
apparently ETSI has previously promised to

them that they would not use the name TLS
and then they named it Enterprise TLS.

Okay, but yeah... TLS 1.3 is finished. You
can start using it. You should update your

servers so that they use it. Your browser
probably already supports it. So, in

summary: TLS 1.3 deprecates many insecure
constructions. It's faster and deploying

new things on the internet is a mess. So,
yeah. That's it. And I think we have a few

minutes for questions.
<i>Applause</i>

Herald: Alright, yeah. As Hanno mentioned, we
have 6 minutes or so for questions. We

have 5 microphones in the room. So, if you
want to ask a question, hurry up to one of

the microphones and please make sure to
ask a short, concise question, so that we

can get as many in as we can possibly can.
Maybe, you just go ahead over there. Mic

2.
Mic 2: Thank you very much for this

interesting talk. Is there a way to
prevent the uses of this Enterprise TLS?

Hanno: The question is if there is a way
to prevent the use of that Enterprise TLS.

Yes, there is, because the basic idea is
that they will use a static Diffie-Hellman

key exchange and if you just connect twice
and see that they are using the same

again, then you may reject that. Although
the problem is, some servers may also use

that for optimization. So, there are
longer discussions on this question, so...

I cannot fully answer it, but there more
or less... there are options.

Herald: Alright. Before we go to the next
question, a quick request for all the

people leaving the room: Please do so as
quietly as possible, so we can finish this

Q&amp;A in peace and don't have all this noise
going on. Mic 3, please.

Mic 3: Hi. I was wondering about the
replay attacks. Why didn't they implement

something like sequence numbers into the
TLS protocol?

Hanno: Yeah. There is something like that
in there. The problem is, you sometimes

have a situation where you have multiple
TLS termination points - for example, if

you have a CDN network that is
internationally distributed - and you may

not be able to keep state across all of
them.

Herald: Alright. Then, let's take a
question from our viewers in the internet.

The signal angel, please.
Signal angel: Alright. Binarystrike asks:

"With regards to TLS 1.3 in the
enterprise, shouldn't we move away from

perimeter interception devices to also
putting control on the end point, like we

would have in a zero-trust environment?"
Hanno: So, in my opinion, yes. But, there

are many people in the enterise security
industry who think that this is not

feasible. But, I mean, discussion about
network design, that would be a whole

other talk. Yeah.
Herald: Alright. Then, let's take a

question from mic 4.
Mic 4: Yeah. It's also related to the

Enterprise TLS. The browser can connect to
an Enterprise TLS server without any

problems?
Hanno: Yeah. So, it's built that it's

compatible with the existing TLS protocol.
Mic 4: Okay, thanks.

Hanno: And the reason of whether you can
avoid that or not, that's really a more

complicated discussion, that would kind of
be a whole sub-talk, so I cannot answer

this in a minute, but come to me later if
you are interested in details.

Herald: Alright. Then, let's take another
question from the interwebs.

Signal Angel: We have one more question
from IRC: "Would you recommend

inserting bogus values into handshakes to
train implementors?"

Hanno: I mean that what I said what is
done, that's actually what browsers are

doing, and I think this is a good idea. I
just think that this covers only a small

fraction of these deployment issues.
Herald: Okay, we still have plenty of

time, so let's go to mic 2 please.
Mic 2: Yeah, as you said, we have still a

lot of dirty workarounds concerning TLS
1.3 and all the implementatons in the

browers and so on. Is there a way to make,
like, a requirement for the TLS 1.3 or 1.4

compliance to meet some compliance to the
standard? So you have like a test you can

perform, a self-test or something like
that and if you pass that you are allowed

to use the TLS 1.3 logo or 1.4 logo.
Hanno: You can do that in theory. The

problem is you don't really want to have a
certification regime that people like have

to ask for a logo to be able to be allowed
to implement TLS. and I mean that's kind

of one of the downsides of the open
architecture of the Internet, right? We

allow everyone to put devices on the
Internet, so we kind of have to live with

that. And there's no TLS police, so, we
kind of have no way of preventing people

to use broken TLS implementations. And I
mean people won't care if they have a logo

for it or not, right?
Herald: Alright, let's go to mic 5 all the

way in the back there.
Mic 5: Okay. I have a question about

Shor's algorithm and TLS 1.3, because
since quantum computing is getting very

popular lately and there are a lot of
improvements in the industries, so what's

the current situation regarding TLS 1.3
and all those quantum-based algorithms

that break the complexity into polynomial
times?

Hanno: There's no major change here. So,
with TLS 1.3 you still are using

algorithms that can be broken with quantum
computers if you have a quantum computer.

Which currently you don't, but you may
have in the future. There is work done on

standardizing future algorithms that are
safe from quantum attacks, but that's kind

of in an early stage. And there was an
experiment by Google to introduce a

quantum-safe handshake, but they only ran
it for a few months. But, I think we will

see extensions within the next few years
that will introduce quantum-safe

algorithms, but right now there's no
change from TLS 1.2 to 1.3. Both can be

attacked with quantum computers.
Herald: Okay, so I think we are getting to

our last or second to last question, so
let's go to mic 3, I think you've been

waiting the longest.
Mic 3: Okay. In older versions of TLS

there was a problem for small devices such
as IoT and the industrial devices. Has

there been a change in 1.3 to allow them
to participate?

Hanno: I mean I'm not sure what entirely
you mean with the problem, I mean...

Mic 3: Of performance, of performance.
Hanno: ...of course TLS needs some... the

performance issues of TLS have usually
been overstated. So even in a relatively

low-power device you can implement the
crypto. I mean the whole protocol is

relatively complex and you need to
implement it somehow, but I don't think

that's such a big issue anymore because
even IoT devices have relatively powerfull

processors these days.
Herald: Okay, alright, that concludes our

Q&amp;A, unfortunately we are out of time. So
please give a huge round of applause for

this great talk.

<i>applause</i>

<i>35C3 postroll music</i>

subtitles created by c3subtitles.de
in the year 2019. Join, and help us!