+ All Categories
Home > Presentations & Public Speaking > Sử dụng TLS đúng cách - Phạm Tùng Dương

Sử dụng TLS đúng cách - Phạm Tùng Dương

Date post: 29-Nov-2014
Upload: security-bootcamp
View: 289 times
Download: 7 times
Share this document with a friend
Sử dụng TLS đúng cách - Phạm Tùng Dương
StateoftheArt Using TLS @duongkai Security Bootcamp, Da Nang, 2014
Page 1: Sử dụng TLS đúng cách - Phạm Tùng Dương

State-‐of-‐the-‐Art Using TLS

@duongkaiSecurity Bootcamp, Da Nang, 2014

Page 2: Sử dụng TLS đúng cách - Phạm Tùng Dương

/me✓ Phạm Tùng Dương ✓ Solution Engineer @ISP ✓ Security Interested

Page 3: Sử dụng TLS đúng cách - Phạm Tùng Dương

This Talk is All About UsingWhen I say SSL It means TLS and/or SSL

Page 4: Sử dụng TLS đúng cách - Phạm Tùng Dương

It is can be written a bookHope I can do well in this talk!

Page 5: Sử dụng TLS đúng cách - Phạm Tùng Dương

Yeah, and Some…It’s Soooo Sleepy!

Page 6: Sử dụng TLS đúng cách - Phạm Tùng Dương

Somewhere on the Earth…

Page 7: Sử dụng TLS đúng cách - Phạm Tùng Dương


Page 8: Sử dụng TLS đúng cách - Phạm Tùng Dương

It’s Important Than Ever

Page 9: Sử dụng TLS đúng cách - Phạm Tùng Dương

Protocol Attacks✓2009: SSL Insecure Renegotiation ✓2011: BEAST ✓2012: CRIME ✓2013: RC4 biases, Lucky 13, BREACH ✓2014: POODLE

Page 10: Sử dụng TLS đúng cách - Phạm Tùng Dương

And in 2014✓Heartbleed and CCS in OpenSSL ✓Goto in GnuTLS ✓BERserk in Mozilla NSS ➔ 3 Biggest SSL implementations

Page 11: Sử dụng TLS đúng cách - Phạm Tùng Dương

In Pentest Industry

Page 12: Sử dụng TLS đúng cách - Phạm Tùng Dương

You Are Doing Wrong✓It’s too complex. ✓Crypto related is often hard to


Page 13: Sử dụng TLS đúng cách - Phạm Tùng Dương

SSL IN ACTIONOr Your Service Should Be SSL By Default!

Page 14: Sử dụng TLS đúng cách - Phạm Tùng Dương

SSL Version✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical

attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed


Page 15: Sử dụng TLS đúng cách - Phạm Tùng Dương

SSL Version✓ First developed in Netscape ✓ SSL v2: Oldest and broken ✓ SSL v3 (﴾1996)﴿. Old and almost secure. It

NOT SECURE NOW. ✓ TLS 1.0 (﴾1999)﴿. Fine protocol ✓ TLS 1.1 (﴾2006)﴿. No known practical attacks. ✓ TLS 1.2 (﴾2008)﴿. The most secure until now ✓ TLS 1.3 is being developed


Page 16: Sử dụng TLS đúng cách - Phạm Tùng Dương

Protocol In A Glance

Page 17: Sử dụng TLS đúng cách - Phạm Tùng Dương


Cipher Suite

Page 18: Sử dụng TLS đúng cách - Phạm Tùng Dương

Terms✓CSR, Certificates, EV-‐Cert and CA. ✓Private key. ✓Block ciphers vs Stream ciphers ✓PFS (﴾Letter E)﴿: Perfect Forward Secrecy ✓Curves and Curves: Elliptic Curve ✓X509, PEM, PKCS#12 and conversion. ✓OpenSSL

Page 19: Sử dụng TLS đúng cách - Phạm Tùng Dương

Checklist1. Updated the latest version (﴾OS, software)﴿ 2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 3. Know your legacy. 4. Configure TLS on your system. 5. Verify TLS configuration with your own hands.

Page 20: Sử dụng TLS đúng cách - Phạm Tùng Dương

Explanation2. Get an 2048-‐bit certificates from CA. Better if it supports SHA256 ✓ 1024 bit is weak and can be broken easily.[1] [1]https://isc.sans.edu/diary/Confusion+over+SSL+and+1024+bit+keys/18775 ✓ SHA192 is on the way to be deprecated[2] [2]https://konklone.com/post/why-‐google-‐is-‐hurrying-‐the-‐web-‐to-‐kill-‐sha-‐1 ✓ 4096 is consuming CPU too much

3. Know your legacy ✓ Supported protocol version. ✓ Supported cipher suites. ✓ Your compliance.

Page 21: Sử dụng TLS đúng cách - Phạm Tùng Dương

Explanation4. Configure TLS on your system. ✓ Avoiding insecure ciphers: RC4, DES, 3DES, MD5, SHA1,… ✓ Turn off SSLv3 support ✓ Turn off compression ✓ AES-‐128 is good enough (﴾both secure and faster)﴿. ✓ Enable PFS if supported. ✓ Switch to using Poly1350, Salsa-‐20 and EC ✓ Reference

https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite https://bettercrypto.org/static/applied-‐crypto-‐hardening.pdf

Page 22: Sử dụng TLS đúng cách - Phạm Tùng Dương

Explanationssl_protocols  SSLv3  TLSv1  TLSv1.1  TLSv1.2;   ssl_ciphers  EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;  ssl_prefer_server_ciphers  on; CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf

Page 23: Sử dụng TLS đúng cách - Phạm Tùng Dương

Explanationssl_protocols  SSLv3  TLSv1  TLSv1.1  TLSv1.2;   ssl_ciphers  EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;  ssl_prefer_server_ciphers  on;

CloudFlare config: https://github.com/cloudflare/sslconfig/blob/master/conf

Page 24: Sử dụng TLS đúng cách - Phạm Tùng Dương


Page 25: Sử dụng TLS đúng cách - Phạm Tùng Dương

Explanation: A+ssl_certificate  /etc/nginx/ssl/server.crt;

ssl_certificate_key  /etc/nginx/ssl/server.key;

ssl_trusted_certificate  /etc/nginx/ssl/AddTrustExternalCARoot.crt;

ssl_dhparam  /etc/nginx/ssl/dhparam.pem;

#  Session  Resumption

ssl_session_timeout  20m;

ssl_prefer_server_ciphers  on;

ssl_session_cache  shared:SSL:20m;

#  Enable  OCSP  stapling  (req.  nginx  v  1.3.7+)

ssl_stapling  on;

ssl_stapling_verify  on;

ssl_protocols  TLSv1.2  TLSv1.1  TLSv1;

ssl_ciphers  ECDHE-­‐RSA-­‐AES256-­‐GCM-­‐SHA384:ECDHE-­‐RSA-­‐AES128-­‐SHA256:ECDHE-­‐RSA-­‐AES128-­‐SHA:DHE-­‐RSA-­‐AES128-­‐SHA:RC4-­‐SHA;

add_header  Strict-­‐Transport-­‐Security  "max-­‐age=31536000;  includeSubdomains";


Page 26: Sử dụng TLS đúng cách - Phạm Tùng Dương

Explanation5. Verify TLS configuration with your own hands. ✓ Openssl s_client ✓ Cipherscan and some browser tools ✓ https://www.howsmyssl.com/ ✓ https://cc.dcsec.uni-‐hannover.de/ ✓ iSec Partner SSLyze ✓ SSLLabs (﴾https://www.ssllabs.com/)﴿ ✓ Make your hands dirty

Page 27: Sử dụng TLS đúng cách - Phạm Tùng Dương

DEMO TIMEIf I have enough time…


Page 28: Sử dụng TLS đúng cách - Phạm Tùng Dương

Reference[1] HTTPS Everywhere, Ilya Grigorik https://docs.google.com/presentation/d/15H8Sj-‐Zol1tcum0CSylhmXns5r7cvNFtzYrcwAzkTjM/present#slide=id.g12f3ee71d_10 [2] SSL Pulse Project https://www.trustworthyinternet.org/ssl-‐pulse/ [3] How is my SSQL now https://www.howsmyssl.com/ [4] The Art and Science of SSL Configuration, Nick Galbreath https://speakerdeck.com/ngalbreath/the-‐art-‐and-‐science-‐of-‐ssl-‐configuration [5] Bulletproof TLS and SSL, Ivan Ristic, ISBN: 978-‐1907117046 !Special Thanks to authors of photos about Da Nang and Hoi An (on Flickr): pierre_thach, nemesis1903 28

Page 29: Sử dụng TLS đúng cách - Phạm Tùng Dương


