Shulou(Shulou.com)06/02 Report--

This paper mainly introduces the cryptographic protocol TLS, which is used to provide security for computer network communication, from the advantages, deployment and time development line of TLS 1.3.This paper mainly introduces the cryptographic protocol TLS which is used to provide security for computer network communication.

Introduction to TLS

According to Wikipedia, TLS is a cryptographic protocol used to provide security for computer network communications, and its predecessor, secure socket layer (SSL), must have been heard of by many people. TLS is widely used in IP-based network protocols, such as HTTP, SMTP, FTP and so on. In recent years, the free certificate service provided by Let's Encrypt, the fact that browsers only enable HTTP/2 for HTTPS sites, and marking websites that require passwords without using HTTPS as insecure have strongly promoted the deployment of HTTPS, and the international deployment rate of HTTPS has now exceeded 50%. Driven by various factors, domestic sites and applications are also vigorously promoting the use of cryptographic protocols such as TLS.

Figure 1: data from Google Transparency Report, obtained on September 14, 2018

Preponderant Security Protection of TLS 1.3

TLS 1.3 removes many outdated cryptographic prototypes and features (such as compression, renegotiation), forcing perfect forward security. TLS 1.2 supports many encryption algorithms (including 3DES, static DH, etc.), which leads to FREAK, Logjam, Sweet32 and other attacks. TLS 1.3 tightens the restrictions on encryption prototypes to avoid affecting the security of the protocol due to insecure algorithms enabled by the server. This simplification also makes it easier for operators and developers to configure TLS, and it is no longer easy to misuse insecure configurations.

Prior to TLS 1.3, the entire handshake was not protected by encryption, which revealed a lot of information, including the identity of the client and server. TLS 1.3 encrypts most of the handshake information, which protects users' privacy and prevents protocol rigidity to some extent.

Performance improvement

Although computers are getting faster and faster, the time it takes to transmit data on the Internet is still limited by the speed of light, so the time of transmission back and forth between the two nodes (RTT) has become one of the factors that limit the performance of the protocol. TLS 1.3 requires only one RTT to complete the handshake, saving a RTT compared to TLS 1.2. And TLS 1.3 supports "0-RTT" mode, in which the client can send data while shaking hands, greatly speeding up the loading speed of the page. TLS 1.3 also adds ChaCha20/Poly1305 support, which can improve encryption and decryption performance on old devices that do not support AES hardware instructions.

Deployment of TLS 1.3

Tengine 2.2.2 / nginx 1.13.0 provides TLS 1.3 support, which can be upgraded to TLS 1.3 in conjunction with OpenSSL 1.1.1. Add TLSv1.3 to ssl_protocols in the configuration file to enable TLS 1.3 support. Qualys's SSL server test [1] is a very convenient TLS configuration testing tool, which can easily detect the TLS configuration and security of public network sites.

Protocol fossilization

When an Internet protocol remains unchanged for a long time, the devices developed based on the protocol may ignore its reserved workarounds and make assumptions about its characteristics beyond the standard, which is the phenomenon of protocol fossilization. In the process of perfecting TLS 1.3, the new protocol has to simulate some behaviors of the old protocol because of the protocol rigidity, which greatly slows down the progress of TLS 1.3 standardization. Although the working group dealt with many of the problems that occurred in actual testing when developing the TLS 1.3 standard, we still need to pay attention to possible compatibility issues when we deploy to an online environment.

TLS 1.3 development timeline

Nginx 1.13.0 was released on April 25th, 2017, with the addition of TLS 1.3 support.

On March 21, 2018, IESG approved the draft TLS 1.3.

On April 17, 2018, Chrome 66 enabled support for draft TLS 1.3 by default.

On May 9, 2018, Firefox 60 enabled support for draft TLS 1.3 by default.

On August 10th, 2018, IETF released the TLS 1.3 standard.

On September 11, 2018, OpenSSL version 1.1.1 (LTS) was released with TLS 1.3 support. TLS 1.3 overtook TLS 1.0 to become the second most used TLS version on Cloudflare.

On October 16th, 2018, Chrome 70 supported the formal standard of TLS 1.3.

On October 23, 2018, Firefox 63 supported the formal standard of TLS 1.3.

references

[1] https://www.ssllabs.com/ssltest/

[2] https://tools.ietf.org/html/rfc8446

[3] https://en.wikipedia.org/wiki/Transport_Layer_Security

[4] https://blog.mozilla.org/security/2018/08/13/tls-1-3-published-in-firefox-today/

[5] https://ietf.org/blog/tls13/

[6] https://kinsta.com/blog/tls-1-3/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.