Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How TLS 1.3 updates aim to ensure secure Internet communications

Following a slew of TLS vulnerabilities over the past year, the IETF is working on an updated version of the protocol. Security expert Michael Cobb discusses the changes and improvements.

There a number of attacks targeting the SSL/TLS protocol that have put secure Internet communications at risk....

These attacks include BEAST, CRIME, BREACH, RC4 Attack, Renegotiation Attack, Lucky Thirteen, BERserk, Truncation Attack and Triple Handshake Attack.

The growing number of these attacks is so great a concern that the Transport Layer Security (TLS) Working Group of the Internet Engineering Task Force (IETF) is working on a new version of the protocol, TLS 1.3, to address the vulnerabilities that have been exposed over the past few years, reduce the chance of implementation errors, and remove features that are no longer needed.

In this tip, I will discuss some of the updates that will help address vulnerabilities and improve secure Internet communications.

TLS 1.3 updates and improvements

TLS 1.3 will be based on the earlier TLS 1.1 and 1.2 specifications, but without unnecessary options and functions, such as support for compression and non-AEAD (Authenticated Encryption with Associated Data) ciphers. Removing the code that implements features no longer needed will reduce the chances of potentially dangerous coding errors and immediately reduce the attack surface. 

Removing the code that implements features no longer needed will reduce the chances of potentially dangerous coding errors and immediately reduce the attack surface.

The IETF has also decided to move away from RSA-based key transport in favor of protocols that support perfect forward secrecy (PFS) and are easier to analyze. TLS has had cipher suites based on RSA key transport since SSL 2.0, but confidence in RSA has been shaken over the past few years. Fact of the matter is, cryptanalysts are constantly improving at factoring large numbers. RSA derives its security from the difficulty of factoring large numbers, which means RSA key lengths are having to be increased to maintain security, which in turn slows down the encryption process.

Cipher suites that use RSA for authentication and key exchange are protected solely by the server's RSA private key. If the key is compromised now or sometime in the future, all handshakes using these cipher suites will be compromised. RSA certificates will still be allowed in TLS 1.3, but a key establishment will be via Diffie-Hellman (DH) or Elliptic curve Diffie-Hellman (ECDH). Using DH or ECDH algorithms for key exchange ensures PFS as a new key is negotiated for each handshake. Support for HMAC-SHA256 cipher suites has been added while the IDEA and DES cipher suites have been deprecated.

Reducing implementation flaws with TLS 1.3

Implementation flaws have always been a big problem with any encryption technology, and TLS is no exception. The infamous Heartbleed bug was a result of a surprisingly small bug in a piece of logic that relates to the OpenSSL implementation of the TLS heartbeat mechanism, which is designed to keep connections alive even when no data is being transmitted.

Another example is a variant of the POODLE attack that exploits certain implementations of the TLS protocol, which don't correctly validate encryption padding. This makes some servers vulnerable to POODLE even if they disable SSL -- one of the recommended techniques for countering a POODLE attack.

Having an updated protocol is essential to maintain trust in the Internet as a whole.

Making TLS easier to implement will reduce the chances of implementation errors putting the Internet community at risk. The IETF's Using TLS in Applications (UTA) working group will offer common guidelines and best practices for using TLS in applications, such as the use of the latest crypto algorithms and eliminating the use of older TLS/SSL versions, as well as guidance on how certain applications should use the encryption protocol. To promote interoperability among encrypted systems, the UTA is also working on guidance for using TLS with the instant messaging protocol XMPP and with email client protocols POP, IMAP and SMTP Submission -- a variant of the SMTP protocol.

The '1 round trip time' handshake

TLS 1.3 is being designed to allow for a "1 round trip time" or "1-RTT" handshake by changing the order of messages sent when establishing a secure connection between a server and client.

When using TLS 1.3, the client will send a Client Key Exchange message containing its cryptographic parameters for key establishment before a cipher suite has been negotiated. This will allow a server to calculate the keys for encryption and authentication before sending its first response. Reducing the number of packets sent during this handshake phase will not only speed up the whole process, but also reduce the attack surface.

The TLS 1.3 protocol will have a backwards compatibility mode; if the client's cryptographic parameters don't match the cipher suites supported by the server, it will send a Server Hello message with a valid cipher suite and restart the handshake.

Conclusion

Note that TLS 1.3 is still a draft and has not been finalized. However, having an updated protocol that's faster, more secure and easier to implement is essential to ensure the privacy and security of information exchange and to maintain trust in the Internet as a whole.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He was also formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). Mike has a passion for making IT security best practices easier to understand and achievable. His website www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.

Next Steps

Check out SearchSecurity's latest SSL and TLS security news and advice

Learn how education and technology can improve SSL/TLS security

This was last published in March 2015

Dig Deeper on VPN security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which TLS 1.3 feature or update do you think will help best improve security?
Cancel
Dropping all the RSA code will make TLS 1.3 a lot more focused and faster and I am sure would be broken within a decade anyway and needs longer and longer keys just to compare. I see that a 256-bit ECC is stronger than even a 3072-bit RSA. Plus the computation of both is linear (ECC) to exponential (RSA) respectively, hence cheaper hardware in the long run.
Cancel
TLS 1.3 promises faster messaging and to be easier to setup, which I back 100%, along with less focus on the NSA infested RSA security.
Cancel
Anything that helps make TLS more secure, trustworthy and protects users is a win in my book.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close