World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved
Forward-secrecy protocol comes with the 28th draft
A much-needed update to internet security has finally passed at the Internet Engineering Task Force (IETF), after four years and 28 drafts.
Internet engineers meeting in London, England, approved the updated TLS 1.3 protocol despite a wave of last-minute concerns that it could cause networking nightmares.
TLS 1.3 won unanimous approval (well, one “no objection” amid the yeses), paving the way for its widespread implementation and use in software and products from Oracle’s Java to Google’s Chrome browser.
The new protocol aims to comprehensively thwart any attempts by the NSA and other eavesdroppers to decrypt intercepted HTTPS connections and other encrypted network packets. TLS 1.3 should also speed up secure communications thanks to its streamlined approach.
The critical nature of the protocol, however, has meant that progress has been slow and, on occasion, controversial. This time last year, Google paused its plan to support the new protocol in Chrome when an IT schools administrator in Maryland reported that a third of the 50,000 Chromebooks he managed bricked themselves after being updating to use the tech.
Most recently, banks and businesses complained that, thanks to the way the new protocol does security, they will be cut off from being able to inspect and analyze TLS 1.3 encrypted traffic flowing through their networks, and so potentially be at greater risk from attack.
Unfortunately, that self-same ability to decrypt secure traffic on your own network can also be potentially used by third parties to grab and decrypt communications.
An effort to effectively insert a backdoor into the protocol was met with disdain and some anger by internet engineers, many of whom pointed out that it will still be possible to introduce middleware to monitor and analyze internal network traffic.
The backdoor proposal did not move forward, meaning the internet as a whole will become more secure and faster, while banks and similar outfits will have to do a little extra work to accommodate and inspect TLS 1.3 connections as required.
At the heart of the change – and the complaints – are two key elements: forward secrecy, and ephemeral encryption keys.
TLS – standing for Transport Layer Security – basically works by creating a secure connection between a client and a server – your laptop, for example, and a company’s website. All this is done before any real information is shared – like credit card details or personal information.
Under TLS 1.2 this is a fairly lengthy process that can take as much as half-a-second:
- The client says hi to the server and offers a range of strong encryption systems it can work with
- The server says hi back, explains which encryption system it will use and sends an encryption key
- The client takes that key and uses it to encrypt and send back a random series of letters
- Together they use this exchange to create two new keys: a master key and a session key – the master key being stronger; the session key weaker.
- The client then says which encryption system it plans to use for the weaker, session key – which allows data to be sent much faster because it doesn’t have to be processed as much
- The server acknowledges that system will be used, and then the two start sharing the actual information that the whole exchange is about
TLS 1.3 speeds that whole process up by bundling several steps together:
- The client says hi, here’s the systems I plan to use
- The server gets back saying hi, ok let’s use them, here’s my key, we should be good to go
- The client responds saying, yep that all looks good, here are the session keys
As well as being faster, TLS 1.3 is much more secure because it ditches many of the older encryption algorithms that TLS 1.2 supports that over the years people have managed to find holes in. Effectively the older crypto-systems potentially allowed miscreants to figure out what previous keys had been used (called “non-forward secrecy”) and so decrypt previous conversations.
A little less conversation
People using TLS 1.3 will only be able to use more recent systems that are much harder to crack – at least for now. Any effort to force the conversation to use a weaker 1.2 system will be detected and flagged as a problem.
Another very important advantage to TLS 1.3 – but also one that some security experts are concerned about – is called “0-RTT Resumption” which effectively allows the client and server to remember if they have spoken before, and so forego all the checks, using previous keys to start talking immediately.
That will make connections much faster but the concern of course is that someone malicious could get hold of the “0-RTT Resumption” information and pose as one of the parties. Although internet engineers are less concerned about this security risk – which would require getting access to a machine – than the TLS 1.2 system that allowed people to hijack and listen into a conversation.
In short, it’s a win-win but will require people to put in some effort to make it all work properly.
The big losers will be criminals and security services who will be shut out of secure communications – at least until they figure out a way to crack this new protocol. At which point the IETF will start on TLS 1.4. ®
Read the original article over at The Register.