[HN Gopher] Implementing a toy version of TLS 1.3 ___________________________________________________________________ Implementing a toy version of TLS 1.3 Author : jfarmer Score : 52 points Date : 2022-03-23 20:08 UTC (2 hours ago) (HTM) web link (jvns.ca) (TXT) w3m dump (jvns.ca) | tedunangst wrote: | > When the HTTP response is done, we get these bytes: []byte{48, | 13, 10, 13, 10, 23}. I don't know what this is supposed to mean | exactly but it seems to signal the end of the connection. | | HTTP headers include Content-Length, so you should know when you | get a truncated response, but TLS is supposed to be more general | purpose, so it includes its own crypto secure end of connection | indicator. | drewg123 wrote: | I'm super impressed that they got it to work so quickly. What I | hate about crypto is that is either wrong or right, there is no | "mostly working" that you can identify easily and use as a | debugging aid. | | This drove me crazy when I was working on kTLS in FreeBSD. When I | worked on other features (like getting checksum offload right in | NIC firmware) there were easy tricks I could use for debugging, | like sending a stream of all zeros. For crypto, it was basically | back to first principals and code examination.. | tialaramex wrote: | Hopefully I have actually insightful things to say about this fun | toy. However before that | | > elliptic curve "multiplication", where n * P means "add P to | itself n times" | | Not very smoothly described but this is all multiplication meant | for the natural numbers you learned in primary school too! Why is | 7 x 7 = 49? Because if you start with zero and add 7, seven | times, you get 49. Try it. This is an important and re-usable | insight, it's part of a larger beautiful framework of mathematics | and I believe is much better instructed via modern teaching of | arithmetic in schools than "rote learning" of times tables did | for my parents. | profmonocle wrote: | Learning a protocol by writing a toy client (or toy server) is a | blast. It's so satisfying to see a real, production-quality | server sending real responses to your little mess. | tptacek wrote: | You'd probably enjoy work as a software pentester, where the | docket --- at least for non-web-applications, which admittedly | are the most common project if you don't specialize --- is | almost entirely building tooling-grade implementations of | random protocols so you can test for vulnerabilities. | tptacek wrote: | This is wonderful. | | I was super excited to dive in an find the RSA code so I could | preen about Bleichenbacher's vulnerability, but she neatly | sidestepped that by doing ECDH. Then I thought, well, maybe it's | P-curve ECDH and I can preen about invalid curve attacks on | static-ephemeral ECDH. But nope, X25519! My point here, apart | from making fun of myself for being the kind of person who would | write this stuff on a message board, is TLS 1.3 is pretty solid. | | The "block thing" that's kind of weird is, I assume, the TLS | Record Layer. TLS runs (ordinarily) over TCP, which provides a | non-demarcated stream of bytes. TLS breaks that stream up into | records, and runs its handshake messages over one type of record, | (say) HTTPS over another, and "alerts" over a third. The Record | Layer also interacts, I think, with TLS's misbegotten compression | system? | | In the same vein as this project (but with different goals) is | Trevor Perrin's tlslite, which is implemented in pure Python: | https://github.com/trevp/tlslite | westurner wrote: | > _tlslite_ | | "PEP 543 - A Unified TLS API for Python" #interfaces (-2016) | https://peps.python.org/pep-0543/#interfaces | benmmurphy wrote: | i guess TLS needs records because it wants to mix signalling | data with the data stream (stuff like alerts, keyupdate, | renegotiation for tls1.2). but i guess also they want to use | block ciphers and for stream ciphers they want some kind of | authentication so i'm not sure how you would do this without | some form of framing. there is also some more strangeness with | the TLS record layer because handshake messages and potentially | other messages are allowed to be fragmented over multiple TLS | records or you can have multiple handshake messages in the same | TLS record (i think there are some restrictions on TLS1.3 about | mixing different message types). this also might be a way to | mess with TLS censorship middle boxes because they might not be | robustly coded. i have a plugin for mitmproxy that does TLS | interception using knowledge of the shared key but it doesn't | handle fragmentation of handshake messages and a bunch of other | quirks correctly. ___________________________________________________________________ (page generated 2022-03-23 23:00 UTC)