HTTPS 완전정복 김기영 / Founder and CEO kiyoung.kim@flyhigh-x.com FlyHigh Co., LTD. / 주식회사플라이하이
이미오래전부터했어야하지만 정책적으로이미정해진일정 FlyHigh Co., Ltd all rights reserved. 2
어떻게하면웹을안전하게구축하고식별할까? 적어도고객을위한서비스를하려고한다면제대로해야한다. Cipher Suites Certificate HTTPS Browser Web Server FlyHigh all rights reserved 3
HTTPS 를알기전에우리는프로토콜을알아야한다. Protocol FlyHigh all rights reserved 4
TLS Protocol FlyHigh all rights reserved 5
Cipher Suite ClientHello 지원하는 TLS version ServerHello Cipher suite 목록 [session ID] TLS version 결정 선택한 Cipher suite Client Cert Request Server Certificate Client Certificate [session ID] Certificate Verify Change Cipher Spec Client Finished Message Change Cipher Spec Certificate Verify Server Finished Message FlyHigh all rights reserved 6
먼저 Version HTTP over TLS SSL 1.0 SSL 2.0-1995 SSL 3.0 1996 MD5 사용금지 TLS 1.0-1999 TLS 1.1-2006 TLS 1.2 2008 TLS 1.3 - draft SHA 주의 FlyHigh all rights reserved 7
다음은 Cipher Suite 안전한 Cipher Suite - https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Value Description DTLS-OK Reference 0x00,0x9E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Y [RFC5288] 0x00,0x9F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Y [RFC5288] 0xC0,0x2B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Y [RFC5289] 0xC0,0x2C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Y [RFC5289] 0xC0,0x2F0x2F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 AES SHA256 Y [RFC5289] 0xC0,0x30 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Y [RFC5289] 0xC0,0xA2 TLS_ DHE_ RSA_ WITH_ AES_ 128_ CCM_ 8 Y [RFC6655] 0xC0,0xA3 TLS_DHE_RSA_WITH_AES_256_CCM_8 Y [RFC6655] 0xC0,0xAC TLS_ECDHE_ECDSA_WITH_AES_128_CCM Y [RFC7251] 0xC0,0xAD TLS_ECDHE_ECDSA_WITH_AES_256_CCM Y [RFC7251] 0xC0,0xAE TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 Y [RFC7251] 0xC0,0xAF TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 Y [RFC7251] FlyHigh all rights reserved 8
Cipher Suite 구조 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 키교환 authentication 암호모드무결성 순방향비밀성 (Forward Secrecy) 앞알고리즘명의뒤에 E 가붙은놈만 서버인증서버인증서의알고리즘대로설정하면됨 RSA, ECDSA, DSA 현실적으로 AES128 이최적 없으면 3DES GCM/CCM 없으면 CBC SHA256 이상만안전 없으면 SHA ECDHE, DHE FlyHigh all rights reserved 9
Cipher Suite 내브라우저는? https://www.ssllabs.com/ssltest/viewmyclient.html 안전 Forward secrecy 취약 FlyHigh all rights reserved 10
국내에서는 HTTPS 를어떻게하고있나? 클라이언트와무관한 Cipher Suites 설정, 들쑥날쑥한보안강도설정, Forward Secrecy 무시 ( 은행 ) SHA1 인증서 AES256_CBC, SHA1, RSA SHA1 인증서, TLS1.0, RC4, SHA1, RSA TLS1.0 AES256_CBC, SHA1. RSA FlyHigh all rights reserved 11
국내에서는 HTTPS 를어떻게하고있나? 클라이언트와무관한 Cipher Suites 설정, 들쑥날쑥한보안강도설정, Forward Secrecy 무시, 부적절한유효기간 ( 카드 ) SHA1 인증서 AES256_CBC, SHA1, RSA SHA1 인증서, AES256_CBC, SHA1 SHA1 인증서 RSA FlyHigh all rights reserved 12
지금까지전용솔루션을써서안전했다고? HTTPS만이문제가아님도알아야한다 보안업체들이제공하는프로토콜은아직도 10년전 Mitigation 가능 SEEDCBC HAS 160 다행히인증서는공인을사용하기때문에 SHA256 그러나순방향비밀성은없음 FlyHigh all rights reserved 13
SHA1 은장기사용은 X 2005년, 대자보 충돌쌍을찾는데 1/2048. 170 년걸릴것이 1 달소요 FlyHigh all rights reserved 14
그래서해외에서는 SNS 도 금융보다소중하지않은 SNS 는어떻게하고있을까? 상호인증빼고는 SHA256 인증서사용. TLS1.2 지원, SHA256 사용순방향비밀성지원, AES_128_GCM사용 정확하게알고가장효율적이고안전하게사용 FlyHigh all rights reserved 15
국내는공인인증서는 2010 년에 SHA256 으로업글 FlyHigh all rights reserved 16
국내금융권은 2016 년서버인증서를 SHA256 으로업글예정 어쩔수없이 가아닌 고객과비즈니스의영속성을위해서 하면훨씬더좋을텐데 FlyHigh all rights reserved 17
이미오래전부터했어야하지만 정책적으로이미정해진일정 SHA-1 서명,2 년,3 년인증서주문불가. SHA-1 인증서발급의유효기간은 2016년 12월 31일로제한 11. 2014 4 년, 5 년다년인증서발급중단. 인증서재발급은최대 39 개월로제한 03 2015 SHA-1 인증서발급및재발급중단 12. 2015 Microsoft 는 SHA-1 서명발급된모든 SSL, CA 인증서신뢰중단 01. 2016 FlyHigh Co., Ltd all rights reserved. 18
인증 서버인증서 SSLCipherSuite ECDHE-ECDSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:+TLSv1.2:!MD5:!aNULL or SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:+TLSv1.2:!MD5:!aNULL SSLCertificateFile "${SRVROOT}/conf/ssl/flyhigh.com.crt SSLCertificateKeyFile "${SRVROOT}/conf/ssl/flyhigh.com.key" FlyHigh all rights reserved 19
인증 사용자인증서 FlyHigh all rights reserved 20
인증 사용자인증서 : ActiveX, Plugin, Exe 없이도상호인증가능 ( 가장안전한 HTTPS 사용방법 ) FlyHigh all rights reserved 21
HTTPS 에대한공격 주요공격패턴 암호취약점 : CBC, Padding Oracle, MD5, 3DES, RC4, DH512 프로토콜취약점 : Downgrade, non-hsts, 제품취약점 : protocol handling, decoding 오류, FlyHigh all rights reserved 22
HTTPS 에대한공격 주요취약점 취약점내용대상 취약한키유도 MD5 ~SSL 3.0 Cipher Suite Downgrade handshake ~SSL 3.0 POODLE Attack CBC + Downgrade SSL 3.0 RC4 Attack SSL/TLS Truncation attack 로그아웃차단 SSL/TLS FREAK attack Logjam attack Heartbleed bug BERserk attack Timing attacks on padding OpenSSL 512-bit DH 무기수출통제정책 OpenSSL 일부제품의 ASN.1 decoding 오류 SSL/TLS SSL/TLS Padding Oracle Attack ~TLS 1.1 AES_GCM 만안전 https://en.wikipedia.org/wiki/arms_export_control_act FlyHigh all rights reserved 23
그래서 TLS Spec 을계속수정하고있다. TLS History : ActiveX를도입했던이유가뭐였었는지도잊었는지 이제는제발흐름을따라가기만이라도서버와클라이언트를안전하게연결하기위한보안프로토콜 TLS 1.0(2246) ----------------------------------------------- 1999( 암호강화, 효율 ) AES Ciphersuites for TLS(3268) --------------------------------------- 2002 TLS Extensions (3546) ------------------------------------------------ 2003 TLS 1.1(4346) ----------------------------------------------- 2006(IV 명시 ) TLS Extensions (4366) ------------------------------------------------ 2006 ECC Cipher Suites TLS(4492) ------------------------------------------ 2006 TLS 1.2(5246) ----------------------------------------------- 2008(SHA256 도입 ) TLS Authorization Extensions(5878) ----------------------------------- 2010 TLS Renegotiation Indication Extension(5746) ------------------------- 2010 Prohibiting Secure Sockets Layer (SSL) Version 2.09(6176) ------------ 2011 TLS Fallback SCSV for Preventing Protocol Downgrade Attacks(7507) ---- 2015 Prohibiting RC4 Cipher Suites(7465) ---------------------------------- 2015 Deprecating SSL Version 3.0(7568) ------------------------------------ 2015 TLS Session Hash and Extended Master Secret Extension(7627) ---------- 2015 TLS 1.3(draft 9)---------------------------------------------- 2015(RSA-PSS, SHA1 X) The SHA-3 standard was released by NIST on August 5, 2015. 조만간반영되겠죠.. FlyHigh all rights reserved 24
HTTPS 만가지고는안전하게지킬수가없다. 웹을더욱안전하게하기위해서 W3C 와 IETF 는지속적으로새로운보완기술을도입하고있다 Considerations for Web Transaction Security(2084)------- 1997 The Web Origin Concept(6454)---------------------------- 2011 HTTP Strict Transport Security(6797)-------------------- 2012 Public Key Pinning Extension for HTTP(7469)------------- 2015 System for Cross-domain Identity Management(7642) ------ 2015 Content Security Policy Pinning ------------------------ 2015 Content Security Policy Level 2 ------------------------ 2015 FlyHigh all rights reserved 25
HTTPS 에대한공격 SSL Strip/SSL Proxy 과방어 Strict-Transport-Security: max-age=15768000 ; includesubdomains HPKP(HTTP Public Key Pinning) FlyHigh all rights reserved 26
HTTPS 성능과 Mixed Contents 30~40% 는느려진다. 특히 CPU 의부하가크다 가속장비사용 : 컨텐츠관리 Image 를 http 로처리 : 모든브라우저에서허용했음, iframe 랩핑 의도하지않은정보유출 http://www.securitee.org/files/mixedinc_isc2013.pdf FlyHigh all rights reserved 27
HTTPS 성능과 Mixed Contents 보안을위해서하는것이면조금더주의하자 의도하지않은정보유출 HSTS는별효과없음. iframe 랩핑금지 ( 경고가뜨지않기도함 ) CSP(Content Security Policy) : 원하지않는컨테츠유입차단 FlyHigh all rights reserved 28
최신 W3C Spec 의특징활용 보안제품으로만보안을하는것이아님 FlyHigh all rights reserved 29
HTTPS 기본 HTTPS 설정 잘못사용하면 보안에아무런도움이되지않습니다. FlyHigh all rights reserved 30
HTTPS 심화 HTTPS 보안강화 보안은보안제품만으로하는것이아닙니다. FlyHigh all rights reserved 31
Thank you. We Make You FlyHigh