The transport layer security protocol (TLS)

Question 1

What is TLS?

Answer 1

Cryptographic services protocol based on Public Key Infrastructure (PKI)

Runs primarly over TCP

Consist of 3 higher-level protocols

Question 2

What is TLS often used for?

Answer 2

To allow browsers to establish secure sessions with web servers

Question 3

What 3 higher level protocols does TCP consist of?

Answer 3

TLS handshake protocol to set up session

TLS alert protocol to signal events such as failures

TLS change cipher spec protocol to change the cryptographic algorithms

Question 4

What are the layers of the TLS: Protocol stack?

Answer 4

Handshake - Change cipher spec - alert - http or other

TLS record protocol

TCP

IP

Question 5

What does the TLS alert protocol do?

Answer 5

Handles connections by sending an “alert” message of various degrees of severity

Question 6

What are the three types of alerts in the alert protocol?

Answer 6

Warning alerts

close_notify alert

fatal alerts

Question 7

What can happen if we have improper handling of alert messages?

Answer 7

Truncation attacks

Question 8

What does the change cipher spec protocol do?

Answer 8

Normally used after handshake to indicate commencement of secure traffic

Question 9

What does TLS ciphersuites do?

Answer 9

Specify the public key algorithms used in handshake, and symmetric algo used in record protocol

Question 10

Describe the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite

Answer 10

Key exchange uses RSA to encrypt a secret chosen by the client

Triple DES (enc-dec-enc) in CBC mode used for encryption

SHA-1 used for the HMAC for data integrity

Question 11

What 2 services does the record protocol provide in TLS?

Answer 11

Message confidentiality: Ensure message content cannot be read in transit

Message integrity:Ensure receiver can detect if a message is modified in transit

Question 12

How does the record protocol provide the 2 services?

Answer 12

A symmetric encryption algorithm and a MAC

Question 13

Describe the record protocol format

Answer 13

Header: Content type, major version, minor version, length

Plaintext (optionally compressed): encrypted

MAC (not a separate field if AEAD is used): encrypted

Question 14

What is the Content Type field in the record protocol header?

Answer 14

Defines content types. The defined ones are:
- change-cipher-spec
- alert
- handshake
- application data

Question 15

What is the length field in the record protocol header?

Answer 15

Length in octets of the data

Question 16

What are the operations of the record protocol (6)?

Answer 16

Fragmentation

Compression: optionally applied

Authenticated data

Plaintext: Compressed data and the MAC, if present

Session keys for MAC and encryption algorithms are established during handshake protocols

Encryption and MAC algorithms are specified in the negotiated ciphersuite

Question 17

What is fragmentation in the record protocol?

Answer 17

Each application layer message is fragmented into blocks of 2^14 bytes or less

Question 18

What is authenticated data in the record protocol?

Answer 18

Consist of the (compressed) data, header, and an implicit record sequence number

Question 19

What crypto algorithms are used in the record protocol?

Answer 19

MAC: HMAC, SHA-2 allowed in TLS 1.2

Enc: Either a block in CBC, or stream cipher

AEAD: Allowed instead of enc and MAC in TLS 1.2

Question 20

What is the purpose of the handshake protocol?

Answer 20

Negotiates the TLS version and crypto algos to be used

Establishes shared session key for use in record protocol

Auths server

Auths client (optional)

Completes session establishment

Question 21

Name 4 versions of the TLS handshake

Answer 21

RSA variant (supported, but not recommended)

Diffie-Hellman (recommended)

Pre-shared key variant

Mutual authentication or server only authentication

Question 22

What are the 4 phases of the TLS handshake protocol?

Answer 22

1: Initiates the logical connection and establishes its security capabilites

2 and 3: Performs key exchange with messages and message content depending on the handshake variant negotiated in phase 1

4: Completes the setting up of a secure connection

Question 23

What happens during phase 1 of the TLS handshake?

Answer 23

Client and server negotiates version, cipher suite and compression. Exchanges nonces

Question 24

What happens during phase 2 of the TLS handshake?

Answer 24

Server sends certificate and key exchange message (if it is needed)

Question 25

What happens during phase 3 of the TLS handshake?

Answer 25

Client sends certificate and key exchange message

Question 26

What happens during phase 4 of the TLS handshake?

Answer 26

Client and server starts secure communications

Question 27

How does the RSA-based TLS handshake work?

Answer 27

The simplest variation has server-only authentication and the server has a public key suitable for RSA encryption

On completion of phase 1, assume that RSA-based key exchange has been selected

Question 28

What are the 5 main TLS handshake messages?

Answer 28

Client hello

Server hello

Server key exchange

Client key exchange

Change cipher spec

Question 29

What does the message “Client hello” do in the TLS handshake?

Answer 29

States highest TLS version available

Advertises ciphersuites available to the client

Sends client nonce Nc

Question 30

What does the message “Server hello” do in the TLS handshake?

Answer 30

Returns the selected TLS version and ciphersuite

Sends server nonce Ns

Question 31

What does the message “Server key exchange” do in the TLS handshake?

Answer 31

Server’s input to the key exchange

Question 32

What does the message “Client key exchange” do in the TLS handshake?

Answer 32

Client’s input to the key exchange

Question 33

What does the message “Change cipher spec” do in the TLS handshake?

Answer 33

Switch to newly negotiated ciphersuite for record layer

Question 34

What does the “Server key exchange” message do in the Ephemeral DH handshake variant?

Answer 34

DH generator, group parameters and the server ephemeral DH value is sent.

All of these values are signed by the server

Question 35

What does the “Client key exchange” message do in the Ephemeral DH handshake variant?

Answer 35

Send client ephemeral DH value.

This value is optionally signed by the client, if the client certificate is used

Question 36

What is the shared secret in the Ephemeral DH handshake variant?

Answer 36

Pre-master secret (pms)

Question 37

What type of secrecy does the Ephemeral DH handshake variant provide?

Answer 37

Forward secrecy

Question 38

What TLS variant is recommended today, and why?

Answer 38

The Ephemeral DH handshake variant, because it provides forward secrecy

Question 39

What does the “Server key exchange” message do in the RSA handshake variant?

Answer 39

The message is not used

Question 40

What does the “Client key exchange” message do in the RSA handshake variant?

Answer 40

Key transport of pre-master secret pms

The client selects a random pms

Client encrypts the pms with the servers public key and sends the ciphertext to the server

The server decrypts the pms using its private key

Question 41

Why is the RSA handshake version not recommended for use in TLS?

Answer 41

It does not provide forward secrecy

Question 42

How is the master secret defined in TLS?

Answer 42

ms = PRF(pms, “master secret”, Nc || Ns)

Question 43

In TLS how are keying material generated from the master key?

Answer 43

k = PRF(ms, “key expansion”, Ns || Nc)

Question 44

In TLS how are independent session keys generated?

Answer 44

They are partitioned from k in each direction.

Session keys consist of a read key and write key on each side.

Question 45

Give 3 examples of what keying material may include in TLS (these are dependent on the cipher suite)

Answer 45

Encryption key

MAC key

IV

Question 46

What is PRF in TLS?

Answer 46

Pseudo random function

Question 47

Describe the PRF in TLS?

Answer 47

Built from HMAC with a specified hash function.

TLS 1.0 and 1.1 uses a combination of MD5 and SHA1

TLS 1.2 uses SHA-2 in the PRF

Question 48

What are the inputs to the PRF function in TLS?

Answer 48

PRF(K, label, r)

K: Key
r: Nonce, possibly (?)

Question 49

When is static DH used in the TLS handshake, and when is the ephemeral DH used?

Answer 49

Static is used with certified keys.

If the client does not have a certificate, ephemeral is used

Question 50

What is the Anonymous DH variant of the TLS handshake? (DH_Anon)

Answer 50

The ephemeral DH keys are not signed.

This only protects against passive eavesdropping

Question 51

What is forward secrecy?

Answer 51

The property that a compromise of long-term keys should not lead to compromise of session keys established before the long-term key compromise took place.

Question 52

How can forward secrecy be provided in the TLS handshake?

Answer 52

Use DH key exchange with the exchange authenticated using signatures from the long-term keys

Question 53

What are a limitation with SSL and TLS?

Answer 53

There are multiple ways a man-in-the-middle attacker can attempt to make two entities drop down to the least secure version they support

This can be done if the attacker for example blocks access to the port a secure service runs on, or attempt to get the peers to negotiate an unauthenticated connection.

Question 54

What are the 2 main protocols of TLS?

Answer 54

Handshake protocol and Record layer protocol

Question 55

How does TLS assume reliable delivery of messages?

Answer 55

This is provided by TCP

Question 56

What is the BEAST attack?

Answer 56

Browser Exploit Against SSL/TLS

Exploits a non-standard use of IV in CBC mode. IVs are chained from previous ciphertexts

This attack allows an attacker to recover plaintext byte by byte

Question 57

What has been done to prevent the BEAST attack?

Answer 57

TLS 1.1: Only use random IVs

Browsers implement a mitigation strategy based on splitting plaintext into first byte + remainder to force a randomised IV including a MAC computation.

Question 58

What are the CRIME and BREACH attack based on?

Answer 58

Compression - different inputs results in different amounts of compression

Question 59

What is the CRIME attack?

Answer 59

Compression Ratio Info-leak Made Easy

Exploits compression in TLS

Question 60

What is the BREACH attack?

Answer 60

Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

Exploits compression in HTTP

Question 61

How can you protect against the CRIME and BREACH attack?

Answer 61

Turn of compression in TLS

Switching it of in HTTP results in a big performance penalty

Question 62

What is a padding oracle?

Answer 62

The source of information about whether or not a message was correctly padded.

Question 63

How can the padding oracle attack be mitigated?

Answer 63

Using a uniform error response that does not give any information about whether or not the message was correctly padded.

This way, an attacker cannot distinguish between padding and MAC errors.

Question 64

What is the POODLE attack?

Answer 64

Padding Oracle On Downgraded Legacy Encryption

Forces downgrade to SSL 3.0 and then runs a padding oracle attack

Question 65

What is the Heartbleed bug?

Answer 65

Implementation error in OpenSSL

Based on missing bounds check in heartbeat messages.

Allows memory leak from server

Question 66

What did the Man-in-the-middle attacks on TLS do?

Answer 66

Rely on issuing a new certificate and installing a root certificate in the browser.

Question 67

What is the TLS timing (padding) oracle attack?

Answer 67

There is a subtle timing bug in the way that TLS data decryption works when using the standard CBC mode ciphersuite.

TLS first applies a MAC to the plaintext, then adds additional padding bytes to get the message length to be an even number of blocks. Then, the record is CBC-encrypted.

The important part is that the padding is not protected by the MAC.

Record structure:
Header - DATA - MAC - Padding

Because of this, the attacker can tamper with the padding by flipping specific bits in the ciphertext, leading to a padding oracle attack.

The attacker can re-transmit the record to the server. If the attacker learned whether the changes affected the padding, this information can be used to decrypt the whole record.

Researchers showed that a timing attack could be run instead, if error messages were not provided. This was caused by the decryption taking different amount of time when the padding was correct or not. This was due to the implementation first checking the padding and returning immediately if it was incorrect, without checking the MAC.

Question 68

Should you encrypt a message and then apply the MAC, or apply the MAC and then encrypt the message?

Answer 68

Encrypt, then apply the MAC to the resulting ciphertext

Question 69

Why is backward compatibility a problem in TLS?

Answer 69

Allows for downgrade attacks.