Network security -https
The Cornerstone of Network Security (I)-Encryption
The Cornerstone of Network Security (Ⅱ) —— Integrity and Identity Authentication
Public key trust-digital certifiCAte and ca
Trust begins with handshake. Detailed explanation of TLS connection process.
Characteristic analysis of TLS 1.3
How to optimize HTTPS connection-to be improved
As early as 20 13, IETF (Internet Engineering Group) was dissatisfied with the outdated design of TLS 1.2 and the cost of two round trips, so it began to prepare a new version of TLS. In August of the same year, Eirc Riskola put forward the function wish list of the new version of TLS. After some arguments, the content of the proposal was finally defined as TLS 1.3. The main problems to promote the design of TLS 1.3 are:
Finally, at 20 18 and 20 10, after four years, the final version of TLS 1.3 was released-RFC-8446. The new protocol makes the Internet faster and safer. With the increasing adoption rate of TLS 1.3, it will inevitably affect the development of the Internet in the long run. At the same time, it is undoubtedly urgent to apply TLS 1.3 to the online environment as soon as possible.
However, before that, the application of TLS 1.2 was 10 (2008). After all, it has experienced various tests, and the new agreement will definitely bring new challenges in its promotion and deployment. Next, let's take a look at how the new version of TLS is done.
As TLS1.11.2 and other protocols have appeared for many years, many applications and Middlebox only recognize the old recording protocol format, which is difficult to update or even rigid.
Deployability
According to the official, because these Middlebox did not perform well in the new changes, even minor changes to the TLS 1.3 protocol (such as deleting redundant ChangeCipherSpec messages and upgrading the version number from 0x03 to 0x04) eventually led to the connection failure of some devices. This is one of the important reasons why TLS 1.3 took so long from the draft to the final release.
In order to ensure that these widely deployed "old devices" can continue to be used, TLS 1.3 has to make a compromise and achieve compatibility through "camouflage": keep the existing recording format unchanged and make TLS 1.3 look like TLS 1.2.
Extended protocol
So, how to distinguish between 1.2 and 1.3?
A new extension agreement is used here, which means "supplementary terms". You can add new functions by adding a series of "extended fields" at the end of the record. The old version of TLS can be ignored directly without knowing it, realizing "backward compatibility".
TLS 1.3 has achieved many important functions by extension, such as "supported _ groups", "key _ share", "signature _ algorithms" and "server _ name".
TLS 1.2 has gained a lot of valuable experience in more than ten years' practice and found many loopholes and weaknesses in encryption algorithms. Therefore, it has become one of the design goals of TLS 1.3 to eliminate the potentially dangerous design to correct the previous mistakes. So these unsafe factors should be corrected in the new version of TLS protocol.
For example:
Fixed key exchange
After this "slimming", the key exchange algorithm of TLS 1.3 is only ECDHE and DHE, and the elliptic curve (ECC) is also "cut" to only P-256 and x255 19.
First of all, let's talk about the reasons for abolishing RSA and DH key exchange algorithms:
Because the client will choose ECDHE instead of RSA as the key exchange by default, this is because it does not have "forward confidentiality": "If someone records the encrypted data for a long time and then obtains the RSA private key of the server in a later period of time, then the hacker can use this private key to decrypt the" pre-master "of all previous messages, and then calculate the session key to crack all ciphertexts. This is intercepted today and cracked tomorrow. "
ECDHE algorithm generates a pair of temporary public key and private key every handshake, and the key pair of each communication is different, that is, "one secret at a time". Even if the hacker made great efforts to crack the session key this time, only this communication was attacked, and the previous historical news will not be affected and it is still safe.
Therefore, mainstream servers and clients use ECDHE instead of RSA in the handshake phase, while TLS 1.3 explicitly abolishes RSA and DH in the protocol, thus ensuring "forward security" at the standard level.
Fixed password
Over the years, the key exchange mechanism is not the only part that causes security loopholes, and there are also quite a few problems in the symmetric key part.
Similarly, the symmetric encryption algorithm only keeps AES and ChaCha20 after slimming, the grouping method can only use AEAD's GCM, CCM and Poly 1305, and the abstract algorithm can only use SHA 256 and SHA 384.
In this way, many encryption algorithms and parameter combinations make the cipher suite very complicated and difficult to choose. After slimming, there are only five suites left in TLS 1.3, which makes it "easier" for clients or servers to choose password suites. More importantly, however, these algorithms have been proved to be unsafe factors in the long-term practice of TLS, resulting in security loopholes.
Repair digital signature
After the previous study, I believe you know that another important part of TLS is authentication. In each connection, the service uses a digital certificate with a public key to provide authentication to the client. In RSA encryption mode, the server decrypts the pre-master key and calculates the MAC through the session record to prove its ownership of the private key. In Diffie-Hellman mode, the server uses digital signature to prove the ownership of the private key.
In TLS 1.2 and earlier versions, the signature of the server only covers part of the handshake. The part used to negotiate which symmetric password to use is not signed by the private key. This has also led to many striking loopholes, such as freaks, deadlocks and so on. In TLS 1.3, these situations can be avoided because the server signs the whole handshake record.
When establishing a connection, HTTPS not only carries out TCP handshake, but also carries out TLS handshake. In TLS 1.2, there will be two more message round trips (2-RTT), which may cause a delay of tens of milliseconds or even hundreds of milliseconds, and the delay will be more serious in mobile networks.
1-RTT mode
The cipher suite is greatly simplified, and there is no need to go through complicated negotiation process as before. TLS 1.3 compresses the previous "Hello" negotiation process, deletes the "key exchange" message, and shortens the capture time to "1-RTT", which doubles the efficiency.
The following is a schematic diagram of TLS 1.3 handshake process. Note the difference between TLS 1.2 introduced earlier.
0-RTT recovery
In addition to the standard "1-RTT" handshake, inspired by the QUIC protocol, the client can send encrypted data to the server in the first message, which has no additional delay cost compared with unencrypted HTTP.
In TLS 1.2, there are two methods to recover the connection: session ID and session ticket, and 1.3 combines them to form a new mode called PSK (pre-shared key) recovery.
Handshake analysis
At present, Web servers such as Nginx can support TLS 1.3 well, but the underlying OpenSSL must be1.1. So if you want to deploy, you need to upgrade your OpenSSL version first.
First, after TCP establishes a connection, the browser sends a "hello client" first.
Since the message of 1.3 is compatible with 1.2, the initial version number, supported cipher suite and random number structure of the client are the same (the random number at this time is 32 bytes).
Pay attention to the extension in "Hello client", "supported_versions" means that this is TLS 1.3, "supported_groups" is the supported curve, and "key_share" is the corresponding parameter of the curve.
It's a bit like "try to finish what you have to say in one breath" or "say hello" as usual. I have this information here, so considering the version upgrade, I attach some information, which may be used in the future.
When the server receives the message "Hello client", it also returns the message "Hello server", or it should give a random number (random server) and the selected password suite.
On the surface, the version is the same as TLS 1.2, with the emphasis on later expansion. Confirm that TLS 1.3 is used in "supported_versions", and then put the curve and corresponding public key parameters on the "key_share" extension.
The response of the server is still the same as the old routine. The server selects the information provided by the client. In addition, the server must attach some parameters. This kind of encryption is solved through negotiation.
It can be seen that compared with the handshake process of TLS 1.2, TLS 1.3 only uses two messages to enjoy four messages: client random and server random, client parameters and server parameters. Both parties can calculate the "pre-master" by DH and then generate the "master secret" by HKDF, which is much more efficient than TLS 1.2.
After the server calculates the master key, it immediately sends out the message "Change Crypter Spec", which enters the encrypted communication earlier than TLS 1.2, and all subsequent certificates are encrypted to reduce the disclosure of plaintext information when shaking hands.
TLS 1.3 also adds a message "Change password specification", and the server signs handshake data such as curves, suites and parameters with a private key, which is similar to the message "Done". However, because it is a private key signature, it strengthens identity authentication and tamper prevention.
After two "hello" messages, the client verifies the server certificate, then sends a "done" message, officially completes the handshake, and starts sending and receiving HTTP messages.
There are many websites that support TLS 1.3, such as GitHub:
Today, we mainly introduce some new features of TLS 1.3, which can be summarized as follows:
TLS 1.3 involves a lot of content. Please refer to RFC-8446 for more details. What else do you want to share about this part? Welcome to leave a message or correct me.
Network security series topics
Extended reading