Network Impacts of HTTPS Transport Encryption BRKSEC-2525 Dan Wing, Distinguished Engineer GSSO Agenda • Introduction to Proxies • HTTP Inspection Background • HTTPS Inspection • Future BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Abstract, in bullet points • Background on how network security is performed on plain-text traffic • Why network traffic is moving towards more encryption • Decryption using TLS proxies • Future protocols and solutions • This presentation contains no product-specific information • This is not a "how to" presentation BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Objectives • Review network security is performed on un-encrypted traffic • Review TLS proxy interception • Protocol futures BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Introduction: Encryption Impacts Network Security • Security features need access to plain text • IPsec, SSL, TLS • Breaking TLS • Encrypted HTTPS is 30-40% of cellular wireless traffic, and rising • Decryption is not always possible • Where decryption is possible, decryption adds cost 25-35%, “SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement,” NSS Labs, June 2013 BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public TLS versus IPsec • TLS – Transport Layer Security – Runs over TCP – easy firewall and NAT traversal – very widely deployed – Typically, only server is validated (client is not validated with TLS) • IPsec – Designed for computer-to-computer and network-to-network (VPN) – Lots of modes = lots of confusion • IPsec tunnel mode, transport mode • IPsec AH, ESP – IP protocol 50 (ESP), 51 (AH) • Requires NAT&firewall IPsec passthrough support • IPsec-over-UDP, IPsec-over-TCP (non-standard) – IKE-over-UDP exchange separate from IPsec BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 TLS versus IPsec • TLS – Transport Layer Security – Runs over TCP – easy firewall and NAT traversal – very widely deployed – Typically, only server is validated (client is not validated with TLS) • IPsec – Designed for computer-to-computer and network-to-network (VPN) – Lots of modes = lots of confusion • IPsec tunnel mode, transport mode • IPsec AH, ESP – IP protocol 50 (ESP), 51 (AH) • Requires NAT&firewall IPsec passthrough support • IPsec-over-UDP, IPsec-over-TCP (non-standard) – IKE-over-UDP exchange separate from IPsec BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 SSL and TLS Versions • SSL 1, SSL 2, 1995, designed by Netscape – Contained security flaws • SSL 3, 1996 – RC4 vulnerable, and SSLv3 block ciphers vulnerable to POODLE attack • TLS 1.0, 1999, RFC2246 • TLS 1.1, 2006, RFC4346 – Improved security • TLS 1.2, 2008, RFC5246 – Improved security (key derivation, SHA256) – Improved negotiation of hashes and signatures – Supports authenticated encryption ciphers (AES-GCM, CCM mode) • TLS 1.3, currently Internet Draft BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 SSL and TLS Versions • SSL 1, SSL 2, 1995, designed by Netscape – Contained security flaws • SSL 3, 1996 – RC4 vulnerable, and SSLv3 block ciphers vulnerable to POODLE attack • TLS 1.0, 1999, RFC2246 • TLS 1.1, 2006, RFC4346 – Improved security • TLS 1.2, 2008, RFC5246 – Improved security (key derivation, SHA256) – Improved negotiation of hashes and signatures – Supports authenticated encryption ciphers (AES-GCM, CCM mode) • TLS 1.3, currently Internet Draft BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Breaking Encryption • Transport encryption – – – – TLS: HTTPS, mail (SMTP, IMAP), others TLS: certain applications (e.g., Dropbox client) DTLS: WebRTC, DTLS-SRTP, Cisco AnyConnect IPSec: VPN • Email Object encryption – Impacts content security – PGP (Gmail, Yahoo), S/MIME (Apple iOS, Outlook) Proxy with TLS client cooperation Generally un-breakable, due to mutual authentication and/or certificate pinning HTTPS – HTTP over SSL (TLS) TLS – Transport Layer Security (TCP) DTLS – Datagram Transport Layer Security (UDP) PGP – Pretty Good Privacy S/MIME – Secure/Multipurpose Internet Mail Extensions BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Breaking Encryption: HTTPS Instant Messaging • Transport encryption – TLS: HTTPS, mail (SMTP, IMAP), others Proxy with TLS client cooperation – Applications using HTTPS-style authentication can be also be proxied – – – – Facebook Messenger Snapchat What’app Threema BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public When can HTTPS be proxied (decrypted)? Client TLS Proxy Cannot Decrypt Internet Server Can Decrypt • Endpoint does not cooperate • Endpoint cooperates – Internet Service Provider – Guest WiFi • Install additional root certificate on client (operationally complex) • Certain applications • Decrypt TLS, examine or modify, reencrypt TLS – (Dropbox, iTunes, …) • Expensive to decrypt TLS everywhere – Hardware and Operational / debugging complexity BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Reasons Sites Use HTTPS Encryption Subscriber Benefit • Subscriber privacy – Health research • Avoid passive surveillance • Lock icon (🔒) • Avoid malware injection Benefits both • Avoid broken caches/proxies • HTTP2 • Prevent ISP from degrading user experience – Video quality degradation • Avoid Chrome HTTP warning (future) BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Site Benefit • Account information – credit card, bank information, passwords • Prevent ISP from: – Selling subscriber web history – Injecting advertising – Breaking page operation • Better Google ranking Reasons Sites Avoid HTTPS Encryption • Loss of caching • Certificate cost ($50-$1500/year) • Slower page load times • Equipment cost • Client CPU and battery consumption BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Reasons Sites Avoid HTTPS Encryption • Loss of caching future: Sub-Resource Integrity • Certificate cost ($50-$1500/year) www.LetsEncrypt.org • Slower page load times HTTP2 and TLS 1.3 improve page load times • Equipment cost • Client CPU and battery consumption (minor) BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Reasons ISPs / Enterprises Dislike HTTPS Encryption ISPs Enterprises • Optimize network with caching – Streaming or live video – Static images • Content and priority policies • Inject advertising – Deep Packet Inspection (DPI), legal requirements (stock broker, bank) • Sell customer traffic data • “good proxies” • “bad proxies” BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. • Increased cost and complexity of content security Cisco Public Good Proxies / Bad Proxies • Good proxy: provide value to end user or the network owner – Block malware – Block spam – Cache content • Bad proxy: harm the end user – Intercept user’s traffic • banking transaction, credit card number, health-related searches • Creates legal liability (risk) – Interfere with protocol features • HTTP 1.1 pipelining, HTTP2, HTTP DELETE method – Inject malware – Break web page functionality • advertising injection, video quality degradation • A proxy can be both good and bad, depending on perspective! BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 The Trouble with Proxies • Proxies harm protocol evolution – Measured 20% failure rate trying to use “Upgrade: HTTP2” over un-encrypted TCP – Mis-handling HTTP 1.1 features (especially pipelining) • “Erosion of the moral authority of transparent middleboxes” – Joe Hildebrand (Internet Architecture Board, Cisco), Patrick McManus (Mozilla) – Discusses how middleboxes (proxies) harm protocol evolution http://tools.ietf.org/html/draft-hildebrand-middlebox-erosion BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Industry Encryption Efforts • Encryption by default: Google, Gmail, Facebook, Twitter, … – Started over a year before Snowden • IETF IAB – Statement of Internet Confidentiality – Stack Evolution in a Middlebox Internet (SEMI) workshop this week in Zürich • W3C TAG, Securing the Web • TLS 1.3 improvements – Fewer messages for faster set up – Encrypts TLS handshake, including server’s (and client’s) certificate • Let’s Encrypt https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality https://w3ctag.github.io/web-https http://www.iab.org/activities/workshops/semi/ BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Let’s Encrypt • Free certificates for servers • Non-profit organization • Sponsored by Cisco, Mozilla, Akamai, EFF, and IdenTrust • Software will: – – – – Automatically prove to the Let’s Encrypt CA that you control the website Obtain a browser-trusted certificate and set it up on your web server Keep track of when your certificate is going to expire, and automatically renew it Help you revoke the certificate • https://letsencrypt.org BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. $ sudo apt-get install lets-encrypt $ lets-encrypt example.com Cisco Public 21 Email Encryption (Object Encryption) • Content security needs access to plaintext • End-to-end encryption prevents access to plaintext – PGP – S/MIME • Today, most users simply delete encrypted email – So encrypted spam/malware is not a threat • Tomorrow, if encrypted email is easier, it becomes easy vector for malware and phishing • Ongoing research BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 HTTP Inspection Overview of Network Inspection • Packets cross packet boundaries – Overlapping TCP segments • JavaScript Obfuscation • IPv4/IPv6 BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Application Inspection TCP stream re-assembly Inspect Server Client Inspect TCP stream re-assembly • Inspect request URL against blacklist and reputation database • Inspect response data for malicious payloads BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Payloads across Packet Boundaries • Happens naturally at packet boundaries – 1500 bytes GET INDEX.HTML HTTP/1.1 • Can happen maliciously • Solution: re-assemble TCP GET IN BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public DEX.HTM L HTTP/1.1 TCP TCP TCP IP IP IP 26 Obfuscation to break pattern matching • Request http:://example.com///index.htm • Response: document.write('<'+'ifr'+'ame '+' sr'+'c'+'='+'"http://etetyum.ZZZ/... Document.write(‘<iframe src=“http://etetyum.ZZZ/... BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Dual Stack Complications • Malware might be split between IPv6 / IPv4 – Get part “A” of malware via IPv4, part “B” over IPv6 • Requires identifying hosts, rather than assuming host has one IP address • Ongoing research BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 HTTPS Inspection HTTPS Inspection • Operation of TLS Proxy • Performance • How TLS proxy performs its job • Certificate Pinning, Lawful Intercept BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Reminder: Application Inspection without TLS TCP stream re-assembly Inspect Server Client Inspect BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 TCP stream re-assembly TLS inspection authenticate & decrypt Inspect authenticate & encrypt Server Client Authenticate & encrypt Inspect Authenticate & decrypt TLS Proxy • TLS session start up: public key calculations (RSA, EC, DH) • TLS session ongoing: authenticate (SHA1) and encrypt/decrypt (AES) BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 TLS Performance Impact: 20-30% of rated speed 10 8 HTTP 50% HTTPS 100% HTTPS 6 4 2 0 Cisco-1 BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco-2 Cisco Public 33 HTTPS through TLS proxy • Browser and operating system trust 100’s of certificate authorities • Method 1: add another CA to the client’s trust list – Most common • Method 2: purchase an intermediate root certificate – Violates terms and conditions • With either method, TLS proxy authenticates using your certificate’s private key BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Breaking HTTPS: method 1, install additional root on client 1. Generate public/private key and root certificate 2. install that root certificate on client devices Web Browser 3. Visit website TLS proxy 4. TLS Hello HTTPS Server 5. TLS Hello 6. Server Certificate 7. Validate certificate 8. Generate (spoofed) certificate, signed by our private key from (1) 9. (Spoofed) Server Certificate BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Certificate Stores: OS or Application Browsers using OS cert store Browsers using their own cert store • Mobile Safari (iOS), Safari (Mac) • Firefox: Preferences, Advanced, Certs • Chrome, Chrome for Mobile • Opera: Settings > Preferences > Advanced > Security > Manage Certs • Internet Explorer • Android: Settings > Personal > Security > Credential storage > Install • iOS: Configuration Profile (email or iPhone Configuration Utility) • Windows: Management Console (MMC) or Group Policy Manager • OS X: Keychain Access BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 “User-Installed Certificate” has Scoping Problem • “User-installed certificate” is intended for enterprise Certificate Authorities – Intent is abused by TLS proxies – TLS proxy can assert itself as any website – In the future, this abuse might be closed • TLS proxy’s private key could be stolen, and examine/modify traffic – Don’t lose the private key! – Long certificate lifetime is riskier; changing certificates on client is $$ – Forward secrecy reduces risk (discussed later) BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Breaking HTTPS: method 2, Intermediate root • Clients already trust. Easy! No client configuration! • Costs USD $120,000 • Contract states the certificate is “not for intercepting TLS” • A significant risk to the Internet • Browser vendors working to detect and disallow these certificates BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public User Detection of TLS Proxy How users notice TLS interception proxy • Certificate warning error – Unfortunately, users are accustomed to seeing errors (“OK to Continue”) • Check certificate manually – Awkward • Browser plugin to “ask friends” about expected certificate – Network notary / Perspectives • Certificate pinning BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Certificate Pinning • Shipping in Firefox and Chrome • Solves two problems: rogue CAs, and $100,000 subordinate root certificates • Specifies which CAs can authenticate a site – Instead of ~300 CAs, now only 2 can authenticate a site – Reduces man-in-the-middle attacks due to compromised CAs • User-installed root certificates (“enterprise certificates”) ignore key pinning – Firefox and Chrome – TLS proxying works in conjunction with key pinning – This means enterprises key pinning generates no error with enterprise certificates • Applications enforcing pinning – Dropbox client, iTunes, others HTTP Public Key Pinning (HPKP), http://tools.ietf.org/html/draft-ietf-websec-key-pinning BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Lawful Intercept • Lawful Intercept – Concept based on wiretapping – Basic idea: duplicate packets – Law enforcement can utilize metadata, even if data is encrypted • Intercept target should not notice intercept – Assuming average technical sophistication – Certificate pinning makes TLS proxy more obvious BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Future Future • Encryption Tussle • New model: opt-in • Caching with HTTPS • Optimizing TLS proxy encryption and decryption • HTTP2 (“SPDY”) and brief note on Google QUIC • TLS 1.3 • Netflow for security • Forward secrecy BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Encryption Tussle Government Encryption Companies Citizens / Users http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Future: Browser opts-in to network value add • Recall the good/bad proxies – Good proxy: provide value to end user or the network owner • Block malware, spam – Bad proxy: harm the end user • Instead of an all-powerful implicit proxy, provide specific features to browser – – – – Cache objects Content security service Data loss prevention service Network bandwidth information (to optimize audio/video quality versus bandwidth) BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Explicit Content Cache • New model: explicit content cache • Fetch integrity-protected object from somewhere nearby – Another nearby device (Bluetooth, WiFi, cellular, optical) – Nearby network storage (ISP cache, home router) • A step towards Named Data Networking • SubResource Integrity (SRI) – Standardized by W3C, http://www.w3.org/TR/SRI – Uses “ni” URI scheme (RFC6920) – Available in Chrome <script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="ni:///sha-256;C6CB9UI...TQmYg?ct=application/javascript"> BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Optimize Decryption: Do TLS and DPI once DPI and action on each device today TLS, inspection, and action on each device Naïve and expensive Tomorrow: Do TLS once BRKSEC-2525 TLS TLS TLS TLS TLS TLS TLS and inspection once, and do action on each device © 2015 Cisco and/or its affiliates. All rights reserved. TLS Cisco Public TLS Optimizing TLS • Each new TLS connection is an expensive public key operation (RSA) • Each byte of encrypted data is expensive (AES, SHA-1) • Make them easier! • RSA -> Elliptic Curve Cryptography (ECC) – ECC is faster to compute – ECC keys are shorter (for same strength), fewer bytes on the wire – Widely available • AES-SHA1 -> ChaCha20-Poly1305 – 300% faster than AES-GCM – Available in Chrome and Google servers BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 HTTP2 (SPDY) and TLS • Multiplex requests and responses over single TCP connection – More efficient object retrieval – One TCP connection to each server (avoids TCP & TLS setup delays) • All browsers only attempt HTTP2 over TLS – Chrome, Firefox, Safari – Avoids difficult fallback code (like was necessary with HTTP 1.1 and middleboxes) – Upgrades to HTTP2 using TLS extension • Saves round trip of using HTTP’s “Upgrade:” header • Page load time: HTTP2-over-TLS is equivalent to (plaintext) HTTP – Eliminates TLS page load time penalty http://caniuse.com/#feat=spdy Daniel Stenberg’s HTTP2 tutorial paper, http://daniel.haxx.se/http2 BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 HTTP, HTTPS, and HTTP2 Layering http:// https:// https:// 6-8 TCP connections per site BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. https:// Fewer TCP connections Cisco Public HTTP, HTTPS, HTTP2, and Google QUIC http:// https:// https:// https:// https:// • QUIC provides its own security, congestion control, and interacts with HTTP2’s prioritization and multiplexing www.wikipedia.org/QUIC BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Partial TLS Handshake (TLS 1.0 – 1.2) Desired server TLS Client TLS Server TLS ClientHello SNI=www.example.com TLS ServerHello Certificate for www.example.net Session key (encrypted with private key) Actual server Server certificate can avoid decrypting if entire site is blacklisted or whitelisted BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Partial TLS Handshake (TLS 1.3) Desired server TLS Client TLS Server TLS ClientHello SNI=www.example.com Client’s Diffie-Hellman key TLS ServerHello Server’s Diffie-Hellman key { Certificate for www.example.net } { Session key (encrypted with private key) } Actual server {Encrypted by DH} Can only blacklist using SNI; need to decrypt to whitelist TLS 1.3: draft-ietf-tls-tls13 BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Netflow for Security • Historically, Netflow was sampled – Reduced performance impact – Reduced traffic visibility • Unsampled Netflow summarizes all traffic to/from a host • Network is the sensor • Analysis of Netflow traffic finds compromised hosts by their traffic patterns – Host communicates to neighbors – Host communicates to command and control servers • Lancope useful • Ongoing research within Cisco BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 (Perfect) Forward Secrecy • With normal RSA, the server’s public key allows decrypting all previous traffic – Don’t lose the private key! • With Forward Secrecy, the server’s public key doesn’t allow decrypting previous traffic • Forward secrecy often performed with a separate Diffie-Hellman exchange – DH exchange is computationally expensive – DH exchange is additional round-trip (optimized in TLS 1.3) • TLS connection re-use means DH exchange is valid for days – Days is not perfect, but days is better than years! Security is a trade-off BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Summary Conclusion • HTTPS encrypted traffic is 30% of most networks, and will continue to grow • Cisco Web Security Appliance and Cloud Web Security can inspect HTTPS • Installing root certificate on clients will remain an operational headache • Future will provide mechanisms to cache content BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Related Sessions • BRKSEC-3772, Advanced Web Security Deployment with WSA, Tobias Mayer • BRKSEC-3127, Dive into Cisco’s Email Encryption Capabillities, Hrvoje Dogan • BRKSEC-2909, In Search of the Silver Bullet for Protection, Jonny Noble • BRKSEC-2053, Practical PKI for Remote Access VPN, Ned Zaldivar • BRKSEC-3128, Secure your network with distributed behavioral analytics, JP Vasseur • BRKSEC-2136, Preventing Armageddon: Finding the threat with Netflow, Matt Robertson BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Call to Action • Visit the World of Solutions for – Cisco Campus – Security Booth – Technical Solution Clinics • Meet the Engineer – I am available this afternoon, see me after this session • Lunch time Table Topics • DevNet zone related labs and sessions • Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015 BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Complete Your Online Session Evaluation • Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt. • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations BRKSEC-2525 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
© Copyright 2024