Domain I: Cyber Security

Subdomain: Cryptography
TLS evolution: from TLS 1.2 to PostQuantum ciphers
Agenda

Reminder on TLS State of the Art

in TLS

Threats on TLS Post-Quantum crypto

and TLS

Appendix

| 10-09-2019 | © Atos - For internal use

Reminder on SSL/TLS
Reminder on TLS
HTTPS

TLS = OSI Layer 5 (+/-) WS security SAML Oauth

Advanced
▶ Transport Layer Security (ex SSL) Layer 7 SOAP/XML REST/Json

▶ Point-to-Point security Generic HTTP

Layer 5 TLS DTLS

TLS with HTTP  HTTPS (default port 443)
▶ TLS Server side (1-way) Layer 4 TCP UDP
IPsec
▶ TLS Mutual Authentication (2-way) Layer 3 IP

▶ WSS = HTTPs  full duplex Websocket

Provides
▶ Authenticity
– Server and/or client
▶ Confidentiality
▶ Integrity

4 | 10-09-2019 | © Atos - For internal use

Reminder on TLS
Principles and layers in protocol

TLS = State Machine, orchestrating multiple ciphers Application Protocol

▶ Session setup (Asymmetric)

– Key Exchange

Application data Protocol

– Authentication
▶ Session (Symmetric)
– Application data (Authenticate/Encrypt)
Authentication Algorithm Strength Mode
Up to
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS Record Protocol
Key exchange Cipher MAC or PRF

Algorithm Strength Mode

TCP
TLS 1.3
TLS_AES_128_GCM_SHA256 IP
Cipher HKDF

PKI and X.509 certificates

5 | 10-09-2019 | © Atos - For internal use

Reminder on TLS
TLS and Security Architecture

TLS as a Security control Segregate Internal vs External TLS

▶ Position & role as a Security Control ▶ Insulate application lifecycle from Security
▶ Vulnerability Assessment / Scanning ▶ Application-level threat inspection
▶ Risk assessment: need to include vs ▶ Better management of external keys
threats landscape
Human System System Human
Use Cases User User User User

▶ Users and flows Internet

Private

▶ Humans (browsers) vs Systems

Network

▶ Externals vs. internals Level 1

FW
Virtual Virtual Virtual Virtual

Security Policy and Governance Host 1 Host 2

Inbound Proxy
Host 1 Host 2
Inbound Proxy

▶ Compliance and enforcement (Internet) (Intranet)

PKI and X.509 certificates Level 2

FW

▶ Issuing Certification Authority

Outbound
Proxy

▶ Protection of private keys Internal Servers

6 | 10-09-2019 | © Atos - For internal use

State of the Art in TLS
Start of the art in TLS
TLS 1.2 and TLS 1.3

▶ Recommendations Key Certif. Verif. Bulk Hash Bulk Encr.

X (signature) Encryption & Gen. Random
– Dutch NCSC
AES_256_GCM (HMAC-)SHA384
▶ 4 Levels of Good ECDHE
ECDSA
CHACHA20_POLY1305 (HMAC-)SHA256
RSA
compliance AES_128_GCM

– Good Sufficient DHE

AES_256_CBC
(HMAC-)SHA-1
AES_128_CBC
– Sufficient
Phase Out RSA 3DES-CBC
– Phase Out
DH AES-256-CCM_8
DSS
– Insufficient ECDH
Export-variants
AES-128-CCM_8
KRB5 IDEA
▶ Cipher suites Insufficient NULL
PSK
DES
(HMAC-)MD5
Anon
PSK RC4
▶ PFS recommended SRP
NULL
NULL

Certif. Verif. (hash) Hash Key X

Good SHA-512,SHA-384,SHA-256 SHA-512,SHA-384,SHA-256
Insufficient SHA-1,MD5 Other algo

8 | 10-09-2019 | © Atos - For internal use

Start of the art in TLS
TLS 1.2 and TLS 1.3

Parameters for RSA key length Elliptic curves Finite field Groups
Key strength
and groups secp384r1
secp256r1
▶ To be used in Good At least 3072 bits
x448
ciphers x25519
ffdhe4096
Sufficient 2048 – 3071 bits
ffdhe3072
Phase-out secp224r1 ffdhe2048
Insufficient Less than 2048 bits Others Others

Compression Renegotiation 0-RTT OCSP stapling

Good No Off Off (N/A in TLS 1.2) On
Sufficient Application Off
Phase-out
Insufficient TLS On (N/A in TLS 1.3) On

9 | 10-09-2019 | © Atos - For internal use

Start of the art in TLS
Migration & Vulnerability Assessment

Migration is a must Regular Vulnerability Assessment

▶ Certainly for Internet-exposed sites ▶ Qualys SSL labs
▶ First to TLS1.2 – HTTPS on standard port 443 only
– To get rid of TLS1.0 and TLS1.1 – Accessed from Internet
– Then to TLS 1.3 once official support – Easy grades
▶ Migration steps – Widely recognised & used by customers
– Status: Cipher suites, negotiations, … ▶ Immuniweb:
– Target – HTTPS and other protocols on std & non-
std ports
• Define cipher suites
– Accessed from Internet
• Define order of preferences and
exclusions on servers ▶ OSS tools:
– Migrate ciphers – OSS to be run anywhere
– Migrate TLS – But no grade and no real audit

10 | 10-09-2019 | © Atos - For internal use

Threats on TLS
Threats on SSL/TLS
Weaknesses and Attacks at various levels

Issues inside TLS stack Insecure renegotiation, Triple

▶ Protocol issues Handsake attack, SMACK, …
– TLS Protocol composition LOGJAM, Sweet32, …
– Crypto vulnerability in protocol and cipher construction
– Key bias (random issues) BEAST, RC4 bias, POODLE, …

– TLS configurations and specific features (compression,…) CRIME, TIME, BREACH, …

▶ Implementation bugs
Heartbleed, GoToFail, FREAK,
▶ Support of old versions and downgrades SKIP, …
Issues besides TLS stack:
POODLE, POODLE TLS, DROWN,
▶ PKI, certificates and DNS
FREAK, SLOTH, …
▶ Protection of private keys
▶ Browsers fraudulent certificates, …
▶ Architecture SSL Stripping, certificate
– Mixing different levels of security exposure e.g. warnings, …

12 | 10-09-2019 | © Atos - For internal use

Threats on SSL/TLS
Weaknesses and Attacks at various levels

Most crypto relies on conjectures and not on

▶ Be prepared to adapt/change
mathematical proofs
(ciphers, parameters, …)
▶ Asymmetric crypto  P vs NP problem (complexity classes)
▶ Prefer a flexible architecture
▶ Crypto related to calculation complexity & compute power and limit dependencies
No implementation is perfect (application lifecycles, …)
▶ Cfr TLS issues
Most crypto relies on getting “good” random numbers Link between DNS and certificates
(e.g. CAA)
▶ Sufficient entropy required
Protect private and secret keys
▶ Otherwise crypto is useless ….
PKI and X.509 certificates rely on trust
▶ Public Trust Certificates and DNS
Modern Browsers and updates
Secure configurations (TLS and other attacks)
▶ e.g. HSTS (HTTP Strict Transport Security)

13 | 10-09-2019 | © Atos - For internal use

Threats on SSL/TLS
Impact of potential Quantum Computing

Algorithm Impact of quantum computers

Vulnerable standards
Larger key sizes needed
AES
256 bits for 128 bits of security [x2]
▶ FIPS 186, Digital Signature
Larger output needed Standard
SHA-2, SHA-3
384 bits for 128 bits of security [x3]
– Digital Signatures: RSA, DSA, ECDSA
RSA No longer secure
▶ SP 800-56A/B, Recommendation
DSA, ECDSA No longer secure for Key Establishment Schemes

DH, ECDHE No longer secure – Diffie-Hellman, RSA key transport

14 | 10-09-2019 | © Atos - For internal use

Post-Quantum crypto
& TLS
Post-Quantum Cryptography and SSL/TLS
NIST Standardization Process

NIST timeline
▶ Standardization starts in 2017
▶ Should end around 2025

Candidates PKE /KEM Signature

▶ 82 initial submissions Code 7 –

Lattice 9 3
▶ 26 submissions still in competition (round 2)
Multivariate – 4
Hash – 2
In collaboration with CNRS XLIM and many other Isogeny 1 –
partners, Worldline has submitted 4 code-based
cryptosystems: HQC, RQC, BIKE and ROLLO

16 | 10-09-2019 | © Atos - For internal use

Post-Quantum Cryptography and SSL/TLS
Impact on key sizes, bandwidth and performances

Key Exchange (PKE/KEM) Authentication (Signature)

Size (Bytes) PK SK CT Security Size (Bytes) PK SK Sig. Security

Kyber 800 32 736 128 Dilithium 1 184 2 800 2 044 128

BIKE3 1411 235 2 757 128 Rainbow 58 100 93 000 64 128

ROLLO-I 465 40 465 128 SPHINCS+ 32 64 16 976 128

Time (kCPU Cycles) Keygen Encaps Decaps Time (kCPU Cycles) Keygen Encaps Decaps

Kyber 33 49 62 Dilithium 69 238 81

BIKE3 173 305 3 950 Rainbow 35 000 402 155

ROLLO-I 1 030 160 810 SPHINCS+ 3 080 100 694 12 011

17 | 10-09-2019 | © Atos - For internal use

Post-Quantum Cryptography and SSL/TLS
A challenging transition in perspective

Transition challenges

▶ Lots of work required to update protocols, standards and PKI infrastructures

▶ Key sizes and bandwidth cost might be problematic in several contexts

Transition may rely on Hybrid Key Exchange

▶ HKE combines a traditional key exchange with a post-quantum key exchange

▶ See draft-stebila-tls-hybrid-design-01 and draft-campagna-tls-bike-sike-hybrid-01

Crypto community is preparing the transition

▶ PQClean – Clean, portable, tested implementations of NIST-submitted schemes

▶ Open Quantum Safe – Integration of NIST-submitted schemes into OpenSSL fork

18 | 10-09-2019 | © Atos - For internal use

Post-Quantum Cryptography and SSL/TLS
Experiments using Post-Quantum SSL/TLS

Google experiment on Post-Quantum SSL/TLS (2016 & 2018)

▶ First experiment in 2016 using NewHope with TLS 1.2
▶ Second experiment in 2018 using lattices and supersingular isogenies with TLS 1.3
▶ Many subtleties in result analysis (see https://www.imperialviolet.org/ for details)

Additional key size (Bytes) Additional latency (ms) – Computation NOT included

Supersingular Isogenies (SI) 400 Percentile SI SL

Structured Lattices (SL) 1 100 Desktop – Median 2,6 5,5

Unstructured Lattices (UL) 10K Desktop – 95% 19,2 136,9

Ongoing study on the integration of NIST candidates into SSL/TLS (eprint 2019/858)

19 | 10-09-2019 | © Atos - For internal use

Post-Quantum Cryptography and SSL/TLS
Experiment on Post-Quantum Document signature/PKI

Proof of Concept implementation

▶ Sign PDF files using a quantum resistant algorithm

▶ Verify signatures in signed PDF files

▶ Create a first notion of Certificate Authority (CA)

Challenges
▶ Use SPHINCS-256 signature (2017)

▶ Use X.509 standard for certificates

20 | 10-09-2019 | © Atos - For internal use

Appendix
Appendix
References

Feisty duck: https://www.feistyduck.com/

▶ BULLETPROOF SSL AND TLS
– Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications
▶ Newsletter: https://www.feistyduck.com/bulletproof-tls-newsletter/
– A lot of pointers related to TLS
Paper from the official Dutch cybersec office NCSC:
▶ https://www.ncsc.nl/binaries/content/documents/ncsc-en/current-topics/factsheets/it-security-guidelines-
for-transport-layer-security-
tls/1/IT%2BSecurity%2BGuidelines%2Bfor%2BTransport%2BLayer%2BSecurity%2Bv2.0.pdf
OWASP
▶ Overview of TLS v1.3 - What’s new, what’s removed and what’s changed?
▶ https://www.owasp.org/images/d/d3/TLS_v1.3_Overview_OWASP_Final.pdf
Validations
▶ Verified Reference Implementations of TLS:
– https://www.mitls.org/
– https://github.com/Inria-Prosecco/reftls
▶ Security Validation of crypto implementations: https://github.com/google/wycheproof

22 | 10-09-2019 | © Atos - For internal use

Appendix
References (Post-Quantum Cryptography and SSL/TLS)

BIKE. https://bikesuite.org/
ROLLO. https://pqc-rollo.org/
Kyber. https://pq-crystals.org/
DILITHIUM. https://pq-crystals.org/dilithium/index.shtml
Rainbow. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-
2/submissions/Rainbow-Round2.zip
SPHINCS+. https://sphincs.org/
Design issues for hybrid key exchange in TLS 1.3.
https://datatracker.ietf.org/doc/draft-stebila-tls-hybrid-design/
Hybrid Post-Quantum Key Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2
https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid-01
PQClean project. https://github.com/PQClean/PQClean
Open Quantum Safe project. https://openquantumsafe.org/
Google Experiment on Post-Quantum Cryptography.
https://www.imperialviolet.org/2018/12/12/cecpq2.html
Integration of NIST candidates in TLS. https://eprint.iacr.org/2019/858

23 | 10-09-2019 | © Atos - For internal use

Appendix
Recommendations as of ciphers
Target
Good
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Sufficient
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
24 | 10-09-2019 | © Atos - For internal use
Apache directives
SSLprotocol
SSLciphersuite
SSLHonorCipherOrder
SSLinsecurenego
Phase out
RSA was already only accepted by Qualys with the lowest priority as it does not
provide forward secrecy. It still seems to be tolerated for a while by Qualys with
TLS1.2 until further notice.
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
To be decommissioned with TLS 1.0/1.1
3DES must be decommissioned with TLS 1.0 and TLS 1.1, since Qualys
toleration of 3DES was limited to older protocols.
Phase out
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Appendix
Evolutions TLS 1.2  1.3

Being retired TLS 1.2 TLS 1.3

▶ TLS 1.0 & TLS1.1 Client Server Client Server

Current versions ClientHello ClientHello

ServerHello + Key share

▶ TLS1.2 Certificate +Sign Algo

ServerKeyExchange +PSK Key Excha

– 37 cipher suites Cert request +Pre Shared Key

– + previous versions (319) ServerHelloDone

Client cert
ServerHello
+ Key share

▶ TLS1.3
ClientKeyExchange +Pre Shared Key

Client Cert Verify (encrypted Ext)

Master Secret Shared

– Scope more under control (5 cipher suites) ChangeCipherSpec
Finished
(Certif Req)
(Certificate)

Session Key available

– More efficient (e.g. handshake) ChangeCipherSpec (Certif Verify)

Finished Finished

– More encrypted parts in protocol Application Data

Client cert

– Old/unsecure features removed Client Cert Verify

Finished

– Caveat: disable 0-RTT Application Data

25 | 10-09-2019 | © Atos - For internal use

Appendix
General reflections on weaknesses and attacks

Depending on architecture and security architecture

▶ Many more attacks on web applications beyond TLS
– Cfr OWASP top 10
▶ TLS attacks concern (focus on HTTPS)
– Servers and clients
– Applications, Proxies, Appliance, Browsers
▶ TLS can be managed at various levels
– OS (e.g. Schannel in Windows)
– Libraries (e.g. openSSL, BouncyCastle, JSSE, …)
• Applications (Java, …) – not recommended
• Proxies (Apache, Nginx, HAproxy, …)
• Appliance (e.g. WAF, NG FW, …)
– Browsers
▶ Also to consider: PKI and DNS

26 | 10-09-2019 | © Atos - For internal use

Appendix
Threats from Quantum Computing

Algorithm Grover (1996) Shor (1994)

Symmetric cryptography & Hash

Impact Asymmetric cryptography
function
Key brute force search Integer factorization
Problem
Collision brute force search Discrete logarithm

Classical computing Exponential complexity Sub-exponential complexity

Quantum computing Sub-exponential complexity Polynomial complexity (n3)

Consequences Problem easier than expected Problem no longer difficult!

Quantum computers will have a tremendous effect on the security of many cryptosystems that are
massively deployed all around the world

27 | 10-09-2019 | © Atos - For internal use

Atos Expert Convention 2019
For more information please contact:
T+ 32 478 20 15 14
philippe.bodden@atos.net

T+ 33 652 38 74 38
loic.bidoux@worldline.com

T+ 33 320 60 79 79
slim.bettaieb@worldline.com

Atos, the Atos logo, Atos Syntel, Unify, and Worldline are registered trademarks of the
Atos group. October 2018. © 2018 Atos. Confidential information owned by Atos, to be
used by the recipient only. This document, or any part of it, may not be reproduced,
copied, circulated and/or distributed nor quoted without prior written approval from Atos.