TLS 1.3 and IPsec

Question 1

What is TLS 1.3?

Answer 1

The latest TLS version
Significant changes from earlier versions affecting security and efficiency

Question 2

What is IPsec?

Answer 2

Framework for ensuring secure communications over IP (internet protocol) networks

Similar security services as TLS, but at a lower layer in the communications protocol stack

Question 3

What are the 7 layers of the OSI model?

Answer 3

Application

Presentation

Session

Transport

Network

Data link

Physical

Question 4

What layer does TLS operate on?

Answer 4

Application layer

Question 5

What layer does IPsec operate on?

Answer 5

Network layer

Question 6

What efficiency and security problems in earlier versions, does TLS 1.3 fix?

Answer 6

Efficiency: Needing 2 round trip times before data can be sent

Sec: Too complex protocol, supported old and weak cipher suites

Question 7

What does TLS 1.3 aim to achieve?

Answer 7

Provable security

Question 8

What items in TLS was removed from version 1.2 to 1.3? (6)

Answer 8

Static RSA and DH key exchange

Renegotiation

SSL 3.0 negotiation

DSA in finite fields

data compression

non-AEAD cipher suites

Question 9

What items was added in TLS 1.3 from 1.2? (3)

Answer 9

Zero round-trip-time (0-RTT) mode from pre-shared keys

Post-handshake client authentication through “certificate verify” signature

More AEAD cipher suites

Question 10

Describe the TLS 1.3 handshake protocol: Hello messages

Answer 10

Client sends keyshare field in client hello for one or more anticipated cipher suites

Server can obtains session key on receipt of client hello if:
- server accepts one of the cipher suites
- the keyshare matches the accepted ciphersuite

If the conditions above fail:
- Server sends an optional Hello Retry Request
- Client responds is these in an acceptable cipher suite

Question 11

In TLS 1.3 what messages are encrypted?

Answer 11

After hello - all later parts of the protocol are encrypted using the keys from the handshake

Question 12

What messages in TLS 1.3 handshake are not cryptographically protected?

Answer 12

Client and sever hello/keyshare messages

Question 13

How does TLS 1.3 derive individual keys?

Answer 13

HKDF standard (hash key derivation function)

Question 14

What different key types can be derived from the master secret?

Answer 14

Handshake traffic keys
Application traffic keys
Early data keys

Question 15

What are Application traffic keys used for?

Answer 15

Protect client-server traffic

Question 15

What are Handshake traffic keys used for?

Answer 15

Protect handshake protocol

Question 16

What are early data keys used for?

Answer 16

Used for 0-RTT data

Question 17

In TLS 1.2 and 1.3, what does the CertificateVerify message do?

Answer 17

Used by the client to send a certificate and authenticate using the message

Question 18

What does the CertificateVerify message contain?

Answer 18

A signature which can be verified using the public key in the certificate

Question 19

What is the post-handshake client authentication extension in TLS 1.3?

Answer 19

If used, the server may request client authentication at any time after the handshake completed

The client then responds with its certificate and a signature in the form of CertificateVerify

Question 20

What is early-data?

Answer 20

Application data that parties can start sending immediately, in 0-RTT key establishments

Question 21

Describe 0-RTT in TLS 1.3

Answer 21

0-RTT is based on a pre-shared key (PSK), that is either agreed outside TLS or from an earlier TLS session

At the end of the handshake protocol, the server can send to the client one or more new session tickets as PSKs

A client may start a new PSK sesion without negotiating version and ciphersuite

Question 22

What is one thing needed to make 0-RTT possible, and what is this used for?

Answer 22

Pre shared key

PSK is used to authenticate Diffie Hellman

Question 23

What secrecy does early data lack?

Answer 23

Forward secrecy

Question 24

What option does the TLS handshakes always use?

Answer 24

Diifie-Hellman option

Question 25

In TLS 1.3, what does the cipher suites specify?

Answer 25

Which AEAD cipher to use in Record layer

Hash function to use for KDF

Question 26

What ciphersuite is mandatory to implement in TLS 1.3?

Answer 26

TLS_AES_128_GCM_SHA256

Question 27

What is the ChaCha algorithm?

Answer 27

Stream cipher with MAC

Faster than AES

256-bit key

Combines XOR, addition modulo 2^32, rotation operations over 20 rounds

Produces 512 bits of keystream

Question 28

What are the efficiency improvements of TLS 1.3?

Answer 28

Saving of one round trip time in handshake

Can set up follow-on session with 0-RTT

Question 29

What security improvements came with TLS 1.3?

Answer 29

Only forward-secret key exchange now allowed

Many legacy cipher suite no longer allowed

Renegotiation option removed

Formal security proof

Question 30

What does the Selfie attack on TLS break?

Answer 30

Mutual authentication in PSK mode

Question 31

How does the selfie attack on TLS work?

Answer 31

Victim party A must be prepared to act as client and a server

A shares a PSK with B

The attacker reflects messages back to herself so client A believes she is talking to B while actually taking with server A

Question 32

How can the selfie attack on TLS be prevented?

Answer 32

Forbidding to share a PSK between more than one server and one client

Question 33

What types of algorithms does IPsec use?

Answer 33

Encryption, authentication and key management

Question 34

What is IPsec most commonly used for?

Answer 34

To provide VPN

Provides a security architecture for both IPv4 and IPv6

Question 35

What is message confidentiality?

Answer 35

Protects against unautherised data disclosure by the use of encryption

Question 36

What is message integrity?

Answer 36

Detects if data has been changed by using a MAC or authenticated ancryption

Question 37

What is message replay protection?

Answer 37

The same data is not replayed and data is not delivered badly out of order

Question 38

What is Limited traffic analysis protection?

Answer 38

Eavesdropper on network traffic should not know which parties communicate, how often or how much data is sent

Question 39

What is Peer authentication?

Answer 39

Each IPsec endpoint confirms the identity of the other IPsec endpoint

Question 40

What 5 security services does IPsec provide?

Answer 40

Message confidentiality
Message integrity
Message replay protection
Limited traffic analysis protection
Peer authentication

Question 41

What is a gateway-to-gateway architecture?

Answer 41

Provides secure network communications between two networks

Traffic is routed through the IPsec connection, protecting it appropriately

Only protects data between 2 gateways

Question 42

What is a gateway-to-gateway architecture most often used for?

Answer 42

When connecting two secured networks, such as linking a branch office to headquarters over the internet

Question 43

What is a Host-to-gateway architecture?

Answer 43

The organization deploys a VPN gateway onto their network

Each remote user establishes a VPN connection between the local computer (host) and the gateway

The VPN gateway may be a dedicated device or part of another network device

Question 44

When are host-to-gateway architectures mostly used?

Answer 44

When connecting hosts on unsecured networks to resources on secured networks.

Commonly used to provide secure remote access

Question 45

What are host-to-host architectures?

Answer 45

Provide end-to-end protection for data (throughout its transit)

resource-intensive to implement/maintain in terms of user and host management.

All user systems and servers that will participate in VPNs need to have VPN software installed and/or configured

Key management through a manual process

Question 46

What are host-to-host architectures typically used for?

Answer 46

For special purpose needs, such as system administrators performing remote management of a single server

Question 47

What are the 3 IPsec protocol types?

Answer 47

ESP: Encapsulating Security Payload

AH: Authentication Header

IKE: Internet Key Exchange

Question 48

What does the IPsec protocol provide: Encapsulating Security Payload?

Answer 48

Provides:
- confidentiality
- authentication
- integrity
- replay protection

Question 49

What is the IPsec protocol: Authentication Header

Answer 49

Provides:
- authentication
- integrity
- replay protection

No confidentiality and because of that deprecated

Question 50

What is the IPsec protocol: Internet Key Exchange

Answer 50

Takes care of negotiating, creating and managing session keys in so-called security associations

Question 51

How are IPsec connections set up?

Answer 51

Key exchange: IKEv2 protocol

IKEv2 uses DH authenticated using signatures with public keys in X.509 certificates

Includes cookies: client must return a time-dependent cookie value before the server proceeds

Question 52

What attacks does using cookies when setting up a IPsec connection mitigate, and what do they provide?

Answer 52

The cookies mitigates denial-of-service attacks

The cookies provide proof of reachability before any expensive cryptographic processing is completed

Question 53

What is a Security Association (SA)?

Answer 53

Contains info needed by an IPsec endpoint to support an IPsec connection

SA tells the endpoint how to process inbound IPsec packets or how to generate outbound packets

SAs are needed for each direction of connection

Question 54

What can SAs include?

Answer 54

cryptographic keys and algorithms

Key lifetimes

Security parameter index (SPI): included in the IPsec header to associate a packet with the appropriate SA

Security protocol identifier (ESP or AH)

Question 55

What is used to establish keys to use in SAs?

Answer 55

IKEv2

Question 56

Name 2 modes of operation in IPsec

Answer 56

Transport and tunnel mode

(both protocol ESP and AH can operate in both)

Question 57

What is transport mode in IPsec?

Answer 57

Maintains IP header of the original packet and protects payload

Generally only used in host-to-host architectures

Question 58

What is tunnel mode in IPsec?

Answer 58

Original packet encapsulated into a new one, meaning payload is the original packet

Typical use is gateway-to-gatewat architecure

Question 59

What are the components of the ESP protocol in IPsec?

Answer 59

ESP header: contains SPI identifying the SA and sequence numbers

ESP trailer: Contains padding and padding length, may include extra padding to enhance traffic flow confidentiality

ESP auth: Contains MAC of the encrypted data and ESP header, may not be required if an authenticated encryption mode is used

Question 60

What does a IP packet look like when protected by Transport-ESP?

Answer 60

Original IP packet:
[ IP header ] [ Data ]

Protected:
[IP header] [ESP header] [Data] [ESP trailer] [ESP auth]

Data and ESP trailer are encrypted

ESP header, Data and ESP trailer are authenticated

Question 61

What does a IP packet look like when protected by Tunnel-ESP?

Answer 61

Original IP packet:
[ IP header ] [ Data ]

Protected:
[New IP header] [ESP header] [IP header][Data] [ESP trailer] [ESP auth]

Encrypted: IP header, data, ESP trailer
Authenticated: ESP header, IP header, data, ESP trailer

Question 62

Describe outbound packet processing in ESP transport mode

Answer 62

Padding of data after original IP header: add ESP trailer and result encrypted using the symmetric cipher and key in the SA

ESP header is prepended

ESP MAC calculated over the data prepared so far and appended (if an SA uses the authentication service)

Original IP header is prepended but some fields must be changed:
- Protocol fields from TCP to ESP
- Total length changes to reflect addition of ESP header
- Checksum recalculated

Question 63

Describe outbound packet processing in ESP tunnel mode

Answer 63

Entire original packet is padded by adding an ESP trailer

The result is encrypted using the symmetric cipher and key agreed in the SA

ESP header prepended

ESP MAC calculated and appended, if SA uses auth service

New outer IP header is prepended
- Inner IP header of the original IP packet carries the ultimate src and dst addresses
- Outer IP header may contain distinct IP addresses such as addresses of security gateways
- Outer IP header protocol field is set to ESP

Question 64

Describe the security of IPsec

Answer 64

Providing enc without integrity is insecure - active attacks have been demonstrated

ESP applies enc before MAC in normal usage

Using AH, a MAC can be applied before enc. Attacks have been demonstrated on such configs

IPsec key exchange protocol (IKEv2) has no significant weaknesses