The wolfSSL library is NOT vulnerable to these attacks, thanks to previous fixes we've made and our extensive testing.
These attacks were presented by Craig Young at BlackHat Asia 3/29/2019 (slides).
Both attacks target the MAC and Padding used for TLS v1.2 with AES CBC cipher suites. TLS padding occurs when a record is not 16-byte aligned and is padded with the length value. The MAC uses HMAC with SHA/SHA256 to calculate an authention code. For TLS the order of operation is MAC -> PAD -> ENCRYPT.
The attack requires a man-in-the-middle (MITM) position to employ the attack. It takes valid records and alters either MAC or Padding or cause TLS errors. If the TLS server responds differently to each of these errors then it can leak information about the plain text message.
The author Craig Young wrote a "padcheck" tool, which tests the following error cases:
Invalid MAC with Valid Padding (0-length pad)
Missing MAC with Incomplete/Invalid Padding (255-length pad)
Typical POODLE condition (incorrect bytes followed by correct length)
All padding bytes set to 0x80 (integer overflow attempt)
Valid padding with an invalid MAC and a 0-length record
For wolfSSL we respond consistently with the same alert and close the socket for each ofl these conditions.
The recommendation from the author is to stop using AES CBC cipher suites and start using TLS v1.3, which is supported by wolfSSL. More information about wolfSSL and TLS 1.3 can be found here: https://www.wolfssl.com/docs/tls13/
TLS 1.3 has some significant changes from TLS 1.2 that are targeted at performance. This is the fourth part of six blogs discussing the performance differences observed between TLS 1.2 and TLS 1.3 in wolfSSL and how to make the most of them in your applications. This blog discusses the server generating a key pair before the handshake starts.
As mentioned in the first blog in this series there is a way to mitigate some of the key exchange cost in TLS 1.3. If the server knows which key exchange algorithm will be used, it can preemptively generate a key pair after accepting a TCP/IP connection by calling wolfSSL_UseKeyShare(). In an architecture where both end-points are controlled by the same entity, a choice of security parameters, like the key exchange algorithm, is made upfront and can be relied on.
When directly connecting to a server, typically, a client only starts creating the ClientHello once a TCP/IP connection has been made. The server accepts the connection and waits for the client to generate a key share and send a ClientHello message. In this time, the server can also generate a key pair.
When using DH for key exchange this provides a significant saving as key generation is expensive. For example when using RSA for server authentication and running both client and server on the same computer, the connection is about 20% faster and with session reuse or PSK for server authentication, the connection is about 30% faster. For connections using ECDH with ECDSA for server authentication, the connection is only about 4% faster and with session reuse or PSK for server authentication, the connection is about 7% faster. EC key generation is very fast in optimised implementations and the impact of hiding its cost is therefore less.
Servers currently reuse the ephemeral key pair across multiple connections. It is common to regenerate the key pair once an hour up to once a day. This mechanism can be used instead of server pre-generation but at the cost of perfect forward security for the server.
If your architecture allows for it, the server should be implemented to generate the key pair after accepting a connection. For DH, it is well worth it. But even for ECDH the small performance improvement will result in more connections per second.
The next blog will discuss the performance issues with handshakes performing client-server authentication.
wolfSSL is at Satelilite this year! The Satellite experience includes networking opportunities, SGx, Tech Demos, a Startup Space, and an international resource center curated from the 15k+ attendees from over 100 countries who come together for this global show. Connectivity and aerospace professionals will lead discussions on the future of satellite connectivity and the changing market landscape, hundreds of industry peers will be exhibiting cutting-edge technologies to buyers in enterprise, finance, military and government, telecommunications and transportation sectors. For 2019, Satellite will be located in Washington, DC.
TLS 1.3 has a different handshake flow when using pre-shared keys and this impacts performance. This is the third part of six blogs discussing the performance differences observed between TLS 1.2 and TLS 1.3 in wolfSSL and how to make the most of them in your applications. This blog discusses how and why PSK handshakes are only similar in speed generally but faster when using DH style key exchange.
For TLS 1.2, handshakes using PSK are defined in a separate document (RFC 4279). In order to fit in with the existing flow, a full handshake is performed. In TLS 1.3, PSK handshakes are the same as resumption handshakes. Therefore there is one less round-trip required for TLS 1.3.
This change in flow has a significant impact on the performance of TLS 1.3. The amount of hashing and encryption/decryption has increased but losing a round-trip means that using PSK without a DH style key exchange is only slightly slower. On higher latency networks, the difference is trivial and the savings great.
In TLS 1.3 using DH or ECDH with PSK results in the following handshake operations.
So, the secret is calculated on the server after the ServerHello is sent. This means that the processing of the ServerHello and secret calculation on the client is happening at the same time relative to the server calculating the secret. The parallel secret generation resulted in, with client and server running on the same computer, TLS 1.3 being about 25% faster than TLS 1.2 when using DH. Using ECDH with P-256, TLS 1.3 is about 15% faster.
It is clear that using pre-shared keys in a secure way, with DH style key exchange, is faster with TLS 1.3 in wolfSSL. The next blog will discuss use cases that result in the removal of a key generation from the list of expensive cryptographic operations in TLS 1.3.
wolfSSL's embedded SSL/TLS library has included support for TLS 1.3 since early releases of the TLS 1.3 draft. Since then, wolfSSL has remained up-to-date with the TLS 1.3 specification. In this post, the major upgrades of TLS 1.3 from TLS 1.2 are outlined below:
This protocol is defined in RFC 8446. TLS 1.3 contains improved security and speed. The major differences include:
The list of supported symmetric algorithms has been pruned of all legacy algorithms. The remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) algorithms.
A zero-RTT (0-RTT) mode was added, saving a round-trip at connection setup for some application data at the cost of certain security properties.
Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
All handshake messages after the ServerHello are now encrypted.
Key derivation functions have been re-designed, with the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) being used as a primitive.
The handshake state machine has been restructured to be more consistent and remove superfluous messages.
ECC is now in the base spec and includes new signature algorithms. Point format negotiation has been removed in favor of single point format for each curve.
Compression, custom DHE groups, and DSA have been removed, RSA padding now uses PSS.
TLS 1.2 version negotiation verification mechanism was deprecated in favor of a version list in an extension.
Session resumption with and without server-side state and the PSK-based ciphersuites of earlier versions of TLS have been replaced by a single new PSK exchange.
Recently, wolfSSL released version 4.0.0 of the wolfSSL embedded SSL/TLS library. This new version includes many new port/feature additions, maintenance updates, and a couple bug fixes. Among those new feature additions includes multiple new API added to wolfSSL's OpenSSL compatibility layer! The compatibility layer is a series of commonly used and essential API that users can utilize to transition from OpenSSL to wolfSSL. The function names are redefined as their wolfSSL counterparts, which have similar signatures and output to their OpenSSL counterparts.
The list of new compatibility API included with the most recent release include the following:
wolfSSL is at LinuxFest Northwest (LFNW) this year! Bellingham Linux Users Group and the Information Technology department at BTC co-produce this annual Open Source event in Washington state. Attend presentations and exhibits on free and open source topics as well as Linux distributions and applications, InfoSec and privacy. For 2019, LFNW will be located in Bellingham, WA.
Are you a user of Deos? If so, you will be happy to know that wolfSSL recently added support for Deos RTOS and added TLS client/server examples to the wolfSSL embedded SSL/TLS library for Deos!
Deos is an embedded RTOS used for safety-critical avionics applications on commercial and military aircraft. Certified to DO-178C DAL A, the time and space partitioned RTOS features deterministic real-time response and employs patented “slack scheduling” to deliver higher CPU utilization.
The Deos port in wolfSSL is activated by using the "WOLFSSL_DEOS" macro. For instructions on how to build and run the examples on your projects, please see the “<wolfssl-root>/IDE/ECLIPSE/DEOS/README” file. This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL as well.
wolfSSL provides support for the latest and greatest version of the TLS protocol, TLS 1.3! Using the wolfSSL port with your device running Deos will allow your device to connect to the internet in one of the most secure ways possible.
At wolfSSL, we currently have a wolfSSH port to µC/OS-III in the works! µC/OS-III is a highly portable and scalable real-time kernel. Designed for ease of use on a huge number of CPU architectures, these kernels are a key component of the µC/OS real-time operating system. The features of this kernel allow it to pair nicely with the wolfSSH SSHv2 library, resulting in the maximization of the best possible encryption, speed, and strength while simultaneously allowing for minimal resource usage.
Other features that are readily available and currently supported by wolfSSH include SCP, SFTP, client authentication via RSA keys or passwords, and more!
wolfSSL is at wolfSSL at IoT Tech Expo Global this year! IoT Tech Expo Global is the world’s largest IoT conference series, covering the latest innovations within the IoT and how they impact industries such as Manufacturing, Transport, Supply Chain, Insurance, Logistics, Government, Energy and Automotive. This year’s key topics include smart building and facilities management, building the connected supply chain, smart city and transport management, smart grid data management and analytics, delivering smart connected new products, and much more. For 2019, IoT Tech Expo Global will be held in London, England.