TLS 1.3 and IPsec Flashcards
What is TLS 1.3?
The latest TLS version
Significant changes from earlier versions affecting security and efficiency
What is IPsec?
Framework for ensuring secure communications over IP (internet protocol) networks
Similar security services as TLS, but at a lower layer in the communications protocol stack
What are the 7 layers of the OSI model?
Application
Presentation
Session
Transport
Network
Data link
Physical
What layer does TLS operate on?
Application layer
What layer does IPsec operate on?
Network layer
What efficiency and security problems in earlier versions, does TLS 1.3 fix?
Efficiency: Needing 2 round trip times before data can be sent
Sec: Too complex protocol, supported old and weak cipher suites
What does TLS 1.3 aim to achieve?
Provable security
What items in TLS was removed from version 1.2 to 1.3? (6)
Static RSA and DH key exchange
Renegotiation
SSL 3.0 negotiation
DSA in finite fields
data compression
non-AEAD cipher suites
What items was added in TLS 1.3 from 1.2? (3)
Zero round-trip-time (0-RTT) mode from pre-shared keys
Post-handshake client authentication through “certificate verify” signature
More AEAD cipher suites
Describe the TLS 1.3 handshake protocol: Hello messages
Client sends keyshare field in client hello for one or more anticipated cipher suites
Server can obtains session key on receipt of client hello if:
- server accepts one of the cipher suites
- the keyshare matches the accepted ciphersuite
If the conditions above fail:
- Server sends an optional Hello Retry Request
- Client responds is these in an acceptable cipher suite
In TLS 1.3 what messages are encrypted?
After hello - all later parts of the protocol are encrypted using the keys from the handshake
What messages in TLS 1.3 handshake are not cryptographically protected?
Client and sever hello/keyshare messages
How does TLS 1.3 derive individual keys?
HKDF standard (hash key derivation function)
What different key types can be derived from the master secret?
Handshake traffic keys
Application traffic keys
Early data keys
What are Application traffic keys used for?
Protect client-server traffic
What are Handshake traffic keys used for?
Protect handshake protocol
What are early data keys used for?
Used for 0-RTT data
In TLS 1.2 and 1.3, what does the CertificateVerify message do?
Used by the client to send a certificate and authenticate using the message
What does the CertificateVerify message contain?
A signature which can be verified using the public key in the certificate
What is the post-handshake client authentication extension in TLS 1.3?
If used, the server may request client authentication at any time after the handshake completed
The client then responds with its certificate and a signature in the form of CertificateVerify
What is early-data?
Application data that parties can start sending immediately, in 0-RTT key establishments
Describe 0-RTT in TLS 1.3
0-RTT is based on a pre-shared key (PSK), that is either agreed outside TLS or from an earlier TLS session
At the end of the handshake protocol, the server can send to the client one or more new session tickets as PSKs
A client may start a new PSK sesion without negotiating version and ciphersuite
What is one thing needed to make 0-RTT possible, and what is this used for?
Pre shared key
PSK is used to authenticate Diffie Hellman
What secrecy does early data lack?
Forward secrecy
What option does the TLS handshakes always use?
Diifie-Hellman option
In TLS 1.3, what does the cipher suites specify?
Which AEAD cipher to use in Record layer
Hash function to use for KDF
What ciphersuite is mandatory to implement in TLS 1.3?
TLS_AES_128_GCM_SHA256
What is the ChaCha algorithm?
Stream cipher with MAC
Faster than AES
256-bit key
Combines XOR, addition modulo 2^32, rotation operations over 20 rounds
Produces 512 bits of keystream
What are the efficiency improvements of TLS 1.3?
Saving of one round trip time in handshake
Can set up follow-on session with 0-RTT
What security improvements came with TLS 1.3?
Only forward-secret key exchange now allowed
Many legacy cipher suite no longer allowed
Renegotiation option removed
Formal security proof
What does the Selfie attack on TLS break?
Mutual authentication in PSK mode
How does the selfie attack on TLS work?
Victim party A must be prepared to act as client and a server
A shares a PSK with B
The attacker reflects messages back to herself so client A believes she is talking to B while actually taking with server A
How can the selfie attack on TLS be prevented?
Forbidding to share a PSK between more than one server and one client
What types of algorithms does IPsec use?
Encryption, authentication and key management
What is IPsec most commonly used for?
To provide VPN
Provides a security architecture for both IPv4 and IPv6
What is message confidentiality?
Protects against unautherised data disclosure by the use of encryption
What is message integrity?
Detects if data has been changed by using a MAC or authenticated ancryption
What is message replay protection?
The same data is not replayed and data is not delivered badly out of order
What is Limited traffic analysis protection?
Eavesdropper on network traffic should not know which parties communicate, how often or how much data is sent
What is Peer authentication?
Each IPsec endpoint confirms the identity of the other IPsec endpoint
What 5 security services does IPsec provide?
Message confidentiality
Message integrity
Message replay protection
Limited traffic analysis protection
Peer authentication
What is a gateway-to-gateway architecture?
Provides secure network communications between two networks
Traffic is routed through the IPsec connection, protecting it appropriately
Only protects data between 2 gateways
What is a gateway-to-gateway architecture most often used for?
When connecting two secured networks, such as linking a branch office to headquarters over the internet
What is a Host-to-gateway architecture?
The organization deploys a VPN gateway onto their network
Each remote user establishes a VPN connection between the local computer (host) and the gateway
The VPN gateway may be a dedicated device or part of another network device
When are host-to-gateway architectures mostly used?
When connecting hosts on unsecured networks to resources on secured networks.
Commonly used to provide secure remote access
What are host-to-host architectures?
Provide end-to-end protection for data (throughout its transit)
resource-intensive to implement/maintain in terms of user and host management.
All user systems and servers that will participate in VPNs need to have VPN software installed and/or configured
Key management through a manual process
What are host-to-host architectures typically used for?
For special purpose needs, such as system administrators performing remote management of a single server
What are the 3 IPsec protocol types?
ESP: Encapsulating Security Payload
AH: Authentication Header
IKE: Internet Key Exchange
What does the IPsec protocol provide: Encapsulating Security Payload?
Provides:
- confidentiality
- authentication
- integrity
- replay protection
What is the IPsec protocol: Authentication Header
Provides:
- authentication
- integrity
- replay protection
No confidentiality and because of that deprecated
What is the IPsec protocol: Internet Key Exchange
Takes care of negotiating, creating and managing session keys in so-called security associations
How are IPsec connections set up?
Key exchange: IKEv2 protocol
IKEv2 uses DH authenticated using signatures with public keys in X.509 certificates
Includes cookies: client must return a time-dependent cookie value before the server proceeds
What attacks does using cookies when setting up a IPsec connection mitigate, and what do they provide?
The cookies mitigates denial-of-service attacks
The cookies provide proof of reachability before any expensive cryptographic processing is completed
What is a Security Association (SA)?
Contains info needed by an IPsec endpoint to support an IPsec connection
SA tells the endpoint how to process inbound IPsec packets or how to generate outbound packets
SAs are needed for each direction of connection
What can SAs include?
cryptographic keys and algorithms
Key lifetimes
Security parameter index (SPI): included in the IPsec header to associate a packet with the appropriate SA
Security protocol identifier (ESP or AH)
What is used to establish keys to use in SAs?
IKEv2
Name 2 modes of operation in IPsec
Transport and tunnel mode
(both protocol ESP and AH can operate in both)
What is transport mode in IPsec?
Maintains IP header of the original packet and protects payload
Generally only used in host-to-host architectures
What is tunnel mode in IPsec?
Original packet encapsulated into a new one, meaning payload is the original packet
Typical use is gateway-to-gatewat architecure
What are the components of the ESP protocol in IPsec?
ESP header: contains SPI identifying the SA and sequence numbers
ESP trailer: Contains padding and padding length, may include extra padding to enhance traffic flow confidentiality
ESP auth: Contains MAC of the encrypted data and ESP header, may not be required if an authenticated encryption mode is used
What does a IP packet look like when protected by Transport-ESP?
Original IP packet:
[ IP header ] [ Data ]
Protected:
[IP header] [ESP header] [Data] [ESP trailer] [ESP auth]
Data and ESP trailer are encrypted
ESP header, Data and ESP trailer are authenticated
What does a IP packet look like when protected by Tunnel-ESP?
Original IP packet:
[ IP header ] [ Data ]
Protected:
[New IP header] [ESP header] [IP header][Data] [ESP trailer] [ESP auth]
Encrypted: IP header, data, ESP trailer
Authenticated: ESP header, IP header, data, ESP trailer
Describe outbound packet processing in ESP transport mode
Padding of data after original IP header: add ESP trailer and result encrypted using the symmetric cipher and key in the SA
ESP header is prepended
ESP MAC calculated over the data prepared so far and appended (if an SA uses the authentication service)
Original IP header is prepended but some fields must be changed:
- Protocol fields from TCP to ESP
- Total length changes to reflect addition of ESP header
- Checksum recalculated
Describe outbound packet processing in ESP tunnel mode
Entire original packet is padded by adding an ESP trailer
The result is encrypted using the symmetric cipher and key agreed in the SA
ESP header prepended
ESP MAC calculated and appended, if SA uses auth service
New outer IP header is prepended
- Inner IP header of the original IP packet carries the ultimate src and dst addresses
- Outer IP header may contain distinct IP addresses such as addresses of security gateways
- Outer IP header protocol field is set to ESP
Describe the security of IPsec
Providing enc without integrity is insecure - active attacks have been demonstrated
ESP applies enc before MAC in normal usage
Using AH, a MAC can be applied before enc. Attacks have been demonstrated on such configs
IPsec key exchange protocol (IKEv2) has no significant weaknesses
