Transcript Document

SSL/TLS Trends, Practices, and
Futures
Brian A. McHenry, Security Solutions Architect
[email protected]
@bamchenry
Agenda
1.
Global SSL Encryption Trends and Drivers
2.
A Few “Best” Practices
3.
Solutions
4.
What’s Next?
© F5 Networks, Inc.
2
Gartner Says Worldwide Information Security Spending Will
Grow Almost 8 Percent in 2014
• Worldwide spending on information security will reach $71.1 billion in 2014
• Data loss prevention segment recording the fastest growth at 18.9 percent,
• By 2015, roughly 10% of overall IT security enterprise product capabilities will
be delivered in the cloud
• Regulatory pressure will increase in Western Europe and Asia/Pacific from
2014
© F5 Networks, Inc.
3
Trajectory and Growth of Encryption
SSL growing ~30% annually. Entering the Fifth wave of transition (IoE)
MARKET AMPLIFIERS
3.5
Customer Trends:
Millions of Certificates (CA)
3.0
2.5
E-Commerce
2.0
Privacy
Mobility
1.5
1.0
S
n
o
w
d
e
n
IoE
•
PFS/ECC Demanded
•
SSL Labs Application Scoring
Emerging Standards:
•
TLS 1.3, HTTP 2.0/SPDY
•
RSA -> ECC
Thought Leaders and Influence:
0.5
0.0
1998
Source: Netcraft
© F5 Networks, Inc.
2002
2006
2010
2014
•
Google: SHA2, SPDY, Search
Ranking by Encryption
•
Microsoft: PFS Mandated
Years
4
Timeline of SSL Vulnerabilities & Attacks
August 2009
Insecure renegotiation
vulnerability exposes all
SSL stacks to DoS
attack
August
2009
© F5 Networks, Inc.
RFC 5746
TLS extension for secure
renegotiation quickly
mainstreamed
February
2010
BEAST & CRIME
Client-side or MITB
attacks leveraging a
chosen-plaintext flaw in
TLS 1.0 and TLS
compression flaws
September
2011
Lucky 13
Another timing attack.
…
TIME
RC4 Attacks
Weakness in CBC cipher A refinement and
variation of CRIME
making plaintext
guessing possible
February
2013
March
2013
March
2013
Heartbleed
The end of the Internet
as we know it!
April
2014
5
The Three Pillars of Effective SSL/TLS Encryption
SSL Intelligence and
Visibility (Full Proxy)
Flexible & Scalable Encryption:
• Optimized SSL in Hardware
and Software
• Cipher Diversity (RSA, ECC,
DSA)
Enterprise key & Certificate
Management
Fully Automated Key and
Certificate Management:
• For all BIG-IP platforms
• For all vendor platforms
• SSL Visibility: Proxy SSL &
Forward Proxy
• 3rd Party Integration for bestin-class key encryption:
Venafi, Symantec/ VeriSign
• SSL Traffic Intelligence:
• PKI Supported Environments
Hardware Security Modules
Advance HSM Support:
• High Performing HSM
options
• Virtualized low-bandwidth
options
• Market Leading HSM
Vendor Support
• HSTS, HTTP 2.0/SPDY,
OCSP Stapling, TLS
Server Session Ticket
© F5 Networks, Inc.
6
Data Protection: Microsoft and Google Expands Encryption
© F5 Networks, Inc.
7
If You Thought Encryption was confusing…
ECC, PFS and Curves
Not all curves are considered equal
Different Authorities:
• US NIST (US National Institute of Standards) with 186-2 (recently
superseded in 2009 by the new186-3)
• US ANSI (American National Standard Institute) with X9.62
• US NSA (National Security Agency) Suite-B Cryptography for TOP
SECRET information exchange
• International SACG (Standards for efficient cryptography group)
with Recommended Elliptic Curve Domain Parameters
• German ECC Brainpool withECC Brainpool with their Strict
Security Requirements
• ECC Interoperability Forum composed by Certicom, Microsoft,
Redhat, Sun, NSA
© F5 Networks, Inc.
8
If You Thought Encryption was confusing…
ECC, PFS and Curves
Not all curves are considered equal
Different Names:
• Secp246r1, Prime256v1, NIST P-256
Different Kinds of Curves:
• ECC over Prime Field (Elliptic Curve)
• ECC over Binary Field (Koblitz Curve)
Other Curves:
• Curve25519 (Google)
• Mumford (Microsoft)
• Brainpool
© F5 Networks, Inc.
9
Some SSL Best Practices
SSL: Not Just for Security
• Google has begun adjusting page rank based on SSL implementations
• F5 customers have third-party/B2B requirements for strong encryption
• SSL Labs’ Pulse tool has made testing easy
• Users and businesses are choosing services based on Pulse grades
© F5 Networks, Inc.
11
Achieving A+ Grades on SSLLabs.com
• Require Secure Renegotiation
• Disable SSLv2 and SSLv3 Use an explicit, strong cipher string, such as:
• !SSLv3:!TLSv1:!EXPORT:!DH:!MD5:!RC4:RSA+AES:RSA+3DES:ECDHE+AES:ECDHE+
3DES:ECDHE+RSA:@STRENGTH
• Prefer Perfect Forward Secrecy (PFS)
• Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above
• Enable HTTP Strict Transport Security (HSTS)
• RFC 6797
© F5 Networks, Inc.
12
More detail: HTTP Strict Transport Security
HSTS is enabled by the “Strict-Transport-Security” HTTP header
e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
• When received, browsers will:
• Automatically convert HTTP references to HTTPS references
• Disallow certificate exemptions (self-signed, etc.)
• Cache HSTS information and reuse stored values for new sessions
AVAILABLE IN 12.0
© F5 Networks, Inc.
13
© F5 Networks, Inc.
14
What’s Next?
TLS 1.3 and HTTP/2 Update
HTTP/2 ratified this month.
• RFC due soon
• ALPN integrates application protocol negotiation into the TLS handshake
• TLS encrypted by default
TLS 1.3 RFC expected in April 2016
• Remove renegotiation
• AEAD ciphers only
© F5 Networks, Inc.
16
New Feature: OCSP Stapling
A Quick Primer on Certificate Revocation
• If a SSL certificate is stolen or compromised, sites need a way to revoke the
certificate so it will no longer be trusted. Revocation is handled by either CRL or
OCSP.
• CRL: Certificate Revocation List
• The browser retrieves the list of all revoked certificates from the CA.
• The browser then parses the whole list looking for the certificate in question.
• OCSP: Online Certificate Status Protocol
• The browser sends the certificate to the CA for validation.
• The CA responds that the certificate is good, revoked, or unknown.
• OCSP is more efficient than CRL, but there’s room for improvement!
© F5 Networks, Inc.
17
OCSP & CRL Checks Hurt Performance
• OCSP and CRL checks add significant overhead:
•DNS (1334ms)
•TCP handshake (240ms)
•SSL handshake (376ms)
•Follow certificate chain (1011ms)
•DNS to CA (300ms)
•TCP to CA (407ms)
•OCSP to CA #1 (598ms)
•TCP to CA #2 (317ms)
•OCSP to CA #2 (444ms)
•Finish SSL handshake (1270ms)
< TOTA L : 6 . 3 S e c o n d s >
This portion is revocation check overhead.
• Add up the time for each step and you'll see that over 30% of the SSL overhead
comes from checking whether the certificate has been revoked.
• These checks are serial and block downloads.
© F5 Networks, Inc.
18
OCSP Stapling to the Rescue
• OCSP Stapling allows the server to attach CA
signed information regarding the certificates
validity.
• Processing with OCSP enabled:
•DNS (1334ms)
•TCP handshake (240ms)
•SSL handshake (376ms)
•Follow certificate chain (1011ms)
•Process OCSP Data (10ms)
•Finish SSL handshake (1270ms)
< TOTA L : 4 . 2 S e c o n d s >
OCSP Stapling also eliminates communication
with a third par ty during cer tificate validation.
This may be considered better security since it
prevents information leakage.
© F5 Networks, Inc.
19