What attacks does TLS mitigate?
Transport Layer Security (TLS) is used worldwide to protect the integrity and privacy of financial and other commercial transactions, operational communications by governments, medical and other private data interchange, space-borne data and telemetry links, email and personal correspondence, and other information that needs protection from disclosure or meddling while in transit. The trend in recent years is to cryptographically protect nearly all data on the public Internet, and increasingly on private intranets, mostly using TLS.
wolfSSL TLS is a best-in-class implementation of both the TLS protocol and the underlying cryptographic algorithms. It is commonly used to protect Internet connections, but because it is transport-agnostic, it is also used to protect traffic on local links and buses (e.g. UART, CAN, SPI, I2C), wireless networks (e.g. Bluetooth and BTLE, Zigbee, Zwave), and various other transports capable of bidirectional communications.
When properly deployed, wolfSSL TLS, with full support for (D)TLS 1.3, provides state of the art performance with comprehensive protection against all known network-borne attack vectors, and additionally protects against many known vectors targeting the physical endpoint.
Protection from Data Corruption and Replay:
(D)TLS uses an authenticating cipher (AEAD) or a Message Authentication Code (MAC) to guarantee that message contents are authentic and unchanged. In TLS 1.3, an AEAD such as AES-GCM is always used, simultaneously providing maximum performance and maximum security.
TLS provides firm guarantees that messages cannot be replayed, inserted, or omitted, by including single-use random data during connection establishment, and an internal message counter within each connection so that each message is guaranteed unique and in order.
wolfSSL DTLS 1.3 additionally includes a full implementation of RFC 9147 replay prevention, so that even in connectionless sessions, an adversary cannot generally inject replayed messages. Adversarial message insertion is always prevented.
Protection of Confidentiality:
TLS includes a fundamental guarantee that the contents of messages exchanged between endpoints are safe from eavesdropping over the network. This guarantee is founded on two criteria: (1) the encryption algorithm is strong, i.e. the contents are only accessible if the key is known, and (2) the key is known only to the two endpoints. When mutual authentication (a client certificate) is used, the guarantee is strongest, with each endpoint able to identify the other end with practical certainty.
TLS also protects contents from disclosure of internal statistical patterns, when used correctly. By default, wolfSSL builds without support for TLS-layer payload compression, making it immune to the CRIME and BREACH side-channel attacks. Using TLS on all traffic further protects against the VORACLE attack on compressing VPNs, by eliminating plaintext payloads.
TLS can also provide Perfect Forward Secrecy (PFS). In this mechanism, ephemeral asymmetric keys are used during session establishment, protecting users from the possibility of coerced disclosure in adversarial store-and-decrypt scenarios, even if server or user private keys are compromised. In TLS 1.3, key negotiation always provides PFS.
Protection from Spoofing:
By default, wolfSSL TLS validates server certificates to a locally stored root of trust using the loaded list of authorities, and aborts if the server certificate can’t be fully validated. Some other common TLS implementations have different default behaviors and require that the application explicitly enable the validation requirement.
Additionally, use of a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP) allows protection from certificates that have been revoked due to compromise. Of these, the most powerful and efficient mechanism is OCSP with stapling and a MustStaple certificate extension, whereby the endpoint can and must prove to its peer that its certificate is valid according to recent vetting by the issuing authority.
Client identity can be verified internal to the TLS protocol using client certificates, or the application can use its own mechanism within the secure TLS session to determine client identity.
As long as at least one certificate is validated — either server by the client, or client by the server — TLS protects the connection from man-in-the-middle (MITM, double impersonation) attacks.
Protection from Timing and Padding Attacks:
Timing attacks: wolfCrypt, the cryptographic algorithm library underlying wolfSSL, implements full protection against timing analysis, protecting secret keys and data from leakage even when attackers have unrestricted local network or bus access to the device. Internal operations that use secret key data are structured to complete in a constant number of instructions. Memory cache attacks, which exploit predictable differences in instruction completion time as a function of secret key data, are blinded with techniques that assure that affected operations complete in constant time.
Padding attacks: Certain private key operations can reveal private key data if the message is not correctly encapsulated in cryptographic padding to prevent exploitation by adversarial crafted inputs. Correct standard padding is always used in TLS to defeat these attacks.
When wolfSSL is configured with -–enable-maxstrength, additional checks are performed to defeat endpoint attacks based on injection of carefully timed electromagnetic impulses. Sibling product wolfBoot features similar defenses when built on ARM Cortex-M with the ARMORED=1 option. These defenses are an area of active research, and additional mitigations are continually in development.
Protection from Protocol Attacks:
Downgrade attacks: Earlier and ancestral versions of the TLS protocol, particularly SSLv2 and SSLv3, are now known to be vulnerable to attacks such as POODLE, BEAST, and various man-in-the-middle attacks. wolfSSL has SSLv3 disabled by default, eliminating these vulnerabilities.
TLS 1.0 and 1.1 were formally deprecated by RFC 8996 (March 2021), due to their dependence on obsolete (DSS, 3DES) and insecure (SHA-1) cryptography. wolfSSL disables TLS 1.0 by default, and TLS 1.1 can be disabled with the configure options –disable-oldtls or –enable-harden-tls. If TLS 1.1 is needed, wolfSSL allows SHA-1 to be globally disabled with –disable-sha, assuring that only secure hash algorithms will be used.
Renegotiation attacks: historic versions of TLS before 1.1 suffered from a protocol defect allowing adversarial content injection. wolfSSL is not vulnerable to these attacks. RFC 5746 secure renegotiation in TLS 1.2 and earlier is optional in wolfSSL, and TLS 1.3 omits in-session renegotiation entirely, eliminating the exposure.
The Heartbleed vulnerability and other implementation flaws specific to OpenSSL have never affected wolfSSL, as wolfSSL is an entirely independent implementation with no ancestral relationship to any current or historicOpenSSL release.
Protection from Cryptographic Obsolescence:
Several algorithms once commonly used in SSL/TLS are now known to be insecure, notably the ciphers RC4 and DES, and the digests MD5 and SHA-1. Of these, RC4 is disabled in wolfCrypt by default, DES is omitted entirely, and the digest algorithms are enabled by default but can be globally disabled. None of these algorithms are included in the TLS 1.3 protocol definition, thus any client or server configured to use only TLS 1.3 is inherently protected from deprecated cryptography.
The future of cryptography is quantum-resistant, providing best protection from store-and-decrypt (harvest now, decrypt later) and signature forgery threats. wolfCrypt supports all 3 lattice-based algorithms on the NIST standards track. The Kyber key agreement algorithm, and the Dilithium and Falcon digital signature algorithms, each offer security levels up to AES-256 equivalent strength. All 3 are fully integrated into wolfSSL TLS 1.3, and are usable today. The future is now!
Protection from Non-Cryptanalytic Attacks:
The wolfSentry embedded firewall/IDPS can be used to harden endpoints against denial of service attacks. Through integration with server applications and the wolfSSL TLS library, wolfSentry can be configured to dynamically block abusive clients, preventing resource attacks and brute force penetration attacks on constrained endpoints.
If you have any other questions or concerns please reach out to facts@wolfssl.com anytime.
