NOT-QUITE-SO-BROKEN TLS 1.3MECHANISED CONFORMANCE CHECKING

David Kaloper Meršinjak Hannes Mehnert

University of Cambridge, Computer LabsTRON, 21 February 2016

MOTIVATIONInternet standards are written informal as RFCPeople interpret RFCs differentlyPrimitives (HMAC, AES, ..) can be tested using staticvectorsProtocols include choice pointsState space explodes

TLS TESTING NOWADAYSTest against widely deployed implementationsUsing different command-line options to cover positivespaceAnybody automated tests of renegotiation/resumption?Interoperability with Widely deployed implementationEven if violating RFC

be conservative in what you do, be liberalin what you accept from others -- Postel

SOME PROBLEMSSignatureAlgorithms are not used for certificate selectionPadding (client hello) included length (servers MAYcheck)Blocking semantics during renegotiationEarly CCS: RFC does not state all preconditions for amessage

CHOICE POINTSFragmentation and paddingClient: ciphersuites, extensions, signature algorithmsClient: which keyshares to transfer?Server: version, key exchange (PSK? 0RTT?), ciphersuiteServer: certificate chain (SigAlgs, ciphersuite, KeyShare,SNI)Server: encrypted extensions (pretty clear guideline)

OUR CONTRIBUTIONKeep in mind: all records besides hellos are nowencrypted!Provide tools for automated testing and analysisSupport TLS implementors with tools for debugging

BACKGROUND: NQSB-TLSA clean-slate TLS 1.x implementation/modelStarted beginning of 2014Around 6000 lines of OCaml codeInteroperates with major stacksPerformance same ballpark as OpenSSLProtocol handler without side effects:

Transforms TLS state and input bytes toError OROk (new TLS state, out bytes, decrypted payload)

STATUS OF NQSB-1.3loc: 1862 insertions, 358 deletions (now 6000)1.3 state machine separate (apart from hello handling)draft11Can talk to itself :) (DHE, PSK, DHE-PSK)Missing 1.3 features: ECC, 0-RTT, client authentication

NQSB-1.3 TESTING TOOLSCheck conformance of YourTLS by exploring its statespaceRender sequence diagrams from traceReplay recorded traceValidate session between any two stacks

CONFORMANCE CHECKINGExplores state space by enumerating choice points in nqsbExecutes unmodified YourTLS with all sequences ofchoicesCovers space of valid interactionsReports sequences of choices which lead to failure

WIP: CONFORMANCE CHECKINGRead pre-shared keysRead ServerConfiguration and secret for 0-RTTEvaluate code coverage in nqsb and YourTLSTrigger post handshake authentication if YourTLS serverNegative tests

VISUALISATIONInput: recorded trace from nqsbRenders trace as sequence diagram (terminal/html)Purpose: easier to analyse than a trace as textWIP: PDF outputWIP: online server with database

A live demo of vis

WIP: REPLICATIONInput: trace, ephemeral and static secret, YourTLS binaryReplays one side of trace against YourTLSReports discrepancy in behaviourRecords new trace

WIP: SESSION VALIDATIONInput: session as TCP stream, ephemeral and static secretsValidates session against nqsb-TLS protocol handlerLooks ahead for decisions (ciphersuite, random, ..)Result: would nqsb have also accepted/denied the session?(outdated 1.2/1.1/1.0 version available at

)https://github.com/hannesm/trace-checker

EARLY DRAFT11 COMMENTSShould signing (PSS) hash handshake_log again (#407)?NewSessionTicket: one or any number after a singleFinished?NewSessionTicket: one more after client authentication?NewSessionTicket: useful after PSK/(EC)DHE_PSK?Fragment buffers must be empty before switching cryptoRely on 32bit UNIX epoch time (#348)KeyShareEntry encoding (#410)

INSTALLATIONRequires OCaml >= 4.02.2 and opam >= 1.2.2( )opam remote add tls13https://github.com/mirleft/tls13-opam.gitopam updateopam install tls (provides echo_client, echo_server,etc.)opam install tlstoools (provides tlsweb and tlsvis)

http://ocaml.org

CONCLUSIONA partial TLS 1.3 implementation/modelConformance checking, used as mechanised specificationEager to get interoperability working with YourTLS!2-clause BSD licensedContact: Information:

tls13@nqsb.iohttps://nqsb.io