« Previous 1 2 3
TLS 1.3 and the return of common sense
Cryptography
Conclusion
TLS 1.3 brings some much-needed improvements (see Table 1 for a summary) at a time of heightened concerns over data security and the integrity of encrypted communications. From state-of-the-art AEAD encryption with perfect forward secrecy to new cipher suites to low-latency session initialization with 1-RTT, the standard represents a major leap forward for data integrity, confidentiality, and authenticity.
Table 1
Main Improvements in TLS 1.3
New Feature | Function |
---|---|
AEAD encryption | AEAD cipher modes handle both encryption and authentication simultaneously (unlike MAC-then-Encrypt). |
New cipher suites | Stronger ciphers and a simplified architecture. |
New elliptic curves | Curve25519 and Curve448 for ephemeral key exchange, as well as functions for performing key agreement using Diffie-Hellman operations. |
Low-latency handshake | Uses 1-RTT instead of 2-RTT. |
No-overhead session resumption | Uses 0-RTT instead of 1-RTT. |
Perfect forward secrecy | By default, except for connections using 0-RTT session resumption. |
No legacy crypto ciphers | Such as RC4 (BEAST mitigation). |
No TLS-level compression | CRIME, TIME mitigation. |
Compatibility mode for now-obsolete middleboxes | Deep packet inspection is no longer feasible and will be replaced by intelligent Encrypted Traffic Analytics (ETA) systems. |
The return of common sense is evident throughout the specification. TLS 1.3 boldly eliminates the conceptual flaws of its predecessors that opened grave vulnerabilities, some of which still linger in web hosts all across the Internet. (See the box titled "Checklist for Maximizing the Exploit Resistance of TLS.") Although it does not bring quantum-resistant cryptography, TLS 1.3 effectively shuts down virtually all known attack vectors – including Bleichenbacher's, at long last.
Checklist for Maximizing the Exploit Resistance of TLS
Upgrading to TLS 1.3 is not an end in itself. To maximize exploit resistance, the configuration must take the whole picture into account. You should consider the following:
- Activate TLS 1.3 and TLS 1.2 only, prioritize TLS 1.3 over 1.2.
- Disable all versions of the protocol before TLS 1.2.
- [TLS 1.3]: Enable required cipher suites.
- [TLS 1.2]: Disable vulnerable cipher-block chaining (CBC) MAC-then-encrypt mode to safeguard against Vaudenay, Lucky13, POODLE, LuckyMinus20, and similar exploits.
- [TLS 1.2]: Deactivate ciphers with insecure padding, such as RSA-based ciphers with PKCS#1v1.5 to mitigate ROBOT-style attacks.
- [TLS 1.2]: Turn off cipher suites based on the RC4 stream cipher to counteract BEAST-style exploits.
- [TLS 1.2]: Activate support for
TLS_FALLBACK_SCSV
to prevent protocol downgrades that facilitate the likes of the POODLE and FREAK exploits. - [TLS 1.2]: Disallow HTTP header compression in the web server settings to minimize the BREACH attack surface.
- [TLS 1.2]: Disable renegotiation with clients, if feasible. (OpenSSL mistakenly removed the ability to turn off client renegotiation in OpenSSL 1.1.0 and reintroduced it with the
SSL_OP_NO_RENEGOTIATION
flag in version 1.1.1.)
Edge and fog computing demand faster connectivity for cyber physical systems and other IoT/IIoT devices. TLS 1.3 delivers that, too: Both 0-RTT session resumption and the new full handshake in 1-RTT cut down on latency in a big way.
One of the hallmarks of the new standard is its straightforward simplicity. The new low-latency handshake provides a vivid example of a successful match of first-rate performance with top-notch security. The 0-RTT session resumption, however, comes at a high price in terms of its susceptibility to a variety of replay attacks. Even so, concerns over security are limited to software implementations, not the standard itself. It is up to web application developers to incorporate countermeasures against replay attacks on 0-RTT session resumption if they decide to use the feature.
Either way, vulnerabilities stemming from a server-side misconfiguration or weak cryptographic primitives are finally a thing of the past. Linux server administrators can finally breathe a sigh of relief.
Infos
- 2018 Thales Data Threat Report: https://dtr.thalesesecurity.com/pdf/2018-data-threat-report-global-edition-es.pdf
- Qualys SSL Pulse dashboard: https://www.ssllabs.com/ssl-pulse/
- "The Future of Open Source at NGINX" from nginx.conf 2017: https://www.nginx.com/blog/the-future-of-open-source-at-nginx/
- Can I Use: https://caniuse.com
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.