hngopher.com

       [HN Gopher] Implementing a toy version of TLS 1.3
       ___________________________________________________________________
        
       Implementing a toy version of TLS 1.3
        
       Author : jfarmer
       Score  : 52 points
       Date   : 2022-03-23 20:08 UTC (2 hours ago)
        
 (HTM) web link (jvns.ca)
 (TXT) w3m dump (jvns.ca)
        
       | tedunangst wrote:
       | > When the HTTP response is done, we get these bytes: []byte{48,
       | 13, 10, 13, 10, 23}. I don't know what this is supposed to mean
       | exactly but it seems to signal the end of the connection.
       | 
       | HTTP headers include Content-Length, so you should know when you
       | get a truncated response, but TLS is supposed to be more general
       | purpose, so it includes its own crypto secure end of connection
       | indicator.
        
       | drewg123 wrote:
       | I'm super impressed that they got it to work so quickly. What I
       | hate about crypto is that is either wrong or right, there is no
       | "mostly working" that you can identify easily and use as a
       | debugging aid.
       | 
       | This drove me crazy when I was working on kTLS in FreeBSD. When I
       | worked on other features (like getting checksum offload right in
       | NIC firmware) there were easy tricks I could use for debugging,
       | like sending a stream of all zeros. For crypto, it was basically
       | back to first principals and code examination..
        
       | tialaramex wrote:
       | Hopefully I have actually insightful things to say about this fun
       | toy. However before that
       | 
       | > elliptic curve "multiplication", where n * P means "add P to
       | itself n times"
       | 
       | Not very smoothly described but this is all multiplication meant
       | for the natural numbers you learned in primary school too! Why is
       | 7 x 7 = 49? Because if you start with zero and add 7, seven
       | times, you get 49. Try it. This is an important and re-usable
       | insight, it's part of a larger beautiful framework of mathematics
       | and I believe is much better instructed via modern teaching of
       | arithmetic in schools than "rote learning" of times tables did
       | for my parents.
        
       | profmonocle wrote:
       | Learning a protocol by writing a toy client (or toy server) is a
       | blast. It's so satisfying to see a real, production-quality
       | server sending real responses to your little mess.
        
         | tptacek wrote:
         | You'd probably enjoy work as a software pentester, where the
         | docket --- at least for non-web-applications, which admittedly
         | are the most common project if you don't specialize --- is
         | almost entirely building tooling-grade implementations of
         | random protocols so you can test for vulnerabilities.
        
       | tptacek wrote:
       | This is wonderful.
       | 
       | I was super excited to dive in an find the RSA code so I could
       | preen about Bleichenbacher's vulnerability, but she neatly
       | sidestepped that by doing ECDH. Then I thought, well, maybe it's
       | P-curve ECDH and I can preen about invalid curve attacks on
       | static-ephemeral ECDH. But nope, X25519! My point here, apart
       | from making fun of myself for being the kind of person who would
       | write this stuff on a message board, is TLS 1.3 is pretty solid.
       | 
       | The "block thing" that's kind of weird is, I assume, the TLS
       | Record Layer. TLS runs (ordinarily) over TCP, which provides a
       | non-demarcated stream of bytes. TLS breaks that stream up into
       | records, and runs its handshake messages over one type of record,
       | (say) HTTPS over another, and "alerts" over a third. The Record
       | Layer also interacts, I think, with TLS's misbegotten compression
       | system?
       | 
       | In the same vein as this project (but with different goals) is
       | Trevor Perrin's tlslite, which is implemented in pure Python:
       | https://github.com/trevp/tlslite
        
         | westurner wrote:
         | > _tlslite_
         | 
         | "PEP 543 - A Unified TLS API for Python" #interfaces (-2016)
         | https://peps.python.org/pep-0543/#interfaces
        
         | benmmurphy wrote:
         | i guess TLS needs records because it wants to mix signalling
         | data with the data stream (stuff like alerts, keyupdate,
         | renegotiation for tls1.2). but i guess also they want to use
         | block ciphers and for stream ciphers they want some kind of
         | authentication so i'm not sure how you would do this without
         | some form of framing. there is also some more strangeness with
         | the TLS record layer because handshake messages and potentially
         | other messages are allowed to be fragmented over multiple TLS
         | records or you can have multiple handshake messages in the same
         | TLS record (i think there are some restrictions on TLS1.3 about
         | mixing different message types). this also might be a way to
         | mess with TLS censorship middle boxes because they might not be
         | robustly coded. i have a plugin for mitmproxy that does TLS
         | interception using knowledge of the shared key but it doesn't
         | handle fragmentation of handshake messages and a bunch of other
         | quirks correctly.
        
       ___________________________________________________________________
       (page generated 2022-03-23 23:00 UTC)