Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS  Thank you for joining.

Published byRalph Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS  Thank you for joining."— Presentation transcript:

1 1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS  Thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will only go live when the Webcast begins – there will be silence until then The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter  Please submit questions using the Webex Q/A feature!

2 2Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS WEBCAST DENNIS PIKE Principal Systems Engineer dennis.pike@bluecoat.com April 14, 2015

3 3Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential AGENDA  Crypto Protocols and Algorithms  Recent Trends in SSL  ProxySG SSL Architecture  SSL Performance Factors  Best Practices  Troubleshooting

4 4Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 4 SSL CRYPTO PROTOCOLS AND ALGORITHMS

5 5Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PARTS IS PARTS  SSLv?, TLS1.?  Handshake algorithm RSA, DHE, ECDHE  Authentication / Signing RSA, DSA, ECDSA  Bulk Encryption RC4, 3DES, AES*  Hash MD5, SHA1, SHA2/256 https://www.iana.org/assignments/tls-parameters/tls- parameters.xhtml#tls-parameters-4

6 6Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 6 RECENT TRENDS IN SSL

7 7Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SNOWDEN EFFECT Started release of classified NSA material in June 2013. Since then:  Global SSL connections at peak have more than doubled  Major web properties have gone default HTTPS and moved to more secure ciphers/algorithms 34 of Top 50 8 of Top 10 (baidu and qq are exceptions)  Web browsers are promoting better security through graphical look and error messages based on cryptography that is negotiated

8 8Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential HEARTBLEED AND POODLE AND BEAST OH MY!!!  Death to SSLv3!, Long live TLS1.2! Heartbleed – OpenSSL 1.0.1 bug POODLE – SSLV3 Fallback exploit BEAST – TLS1.0 CBC exploit Forward Secrecy – private key decrypt (ie court order)

9 9Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential GOOGLE WHO?  MD-5 SHA-1 > SHA-2  All key properties are HTTPS  ECDHE for key exchange by choice if the browser supports it.  AES-GCM as the bulk cipher if the client supports it and is not Chrome  CHACHA as the bulk cipher if the client is Chrome

10 10Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential MOZILLA  It’s Hip to be Mod

11 11Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential MOZILLA

12 12Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential THE BIG SHIFT  January 2014 Bulk Cipher Handshake Protocol

13 13Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential THE BIG SHIFT  May 2014 Bulk Cipher (AES Up, 3DES Down) Handshake (ECDHE 21 -> 42%) Protocol (TLS1.2 33 - > 54%) Cert Signing (SHA2 5 -> 10%)

14 14Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SUMMARY  More and higher percentage SSL traffic  Stronger Hash / MAC (MD5 -> SHA-2)  Stronger Key Exchange Algorithm (Asymmetric Encryption) during Handshake (RSA -> ECDHE)  Stronger Symmetric Bulk Encryption during Data exchange (RC4/3DES -> AES)  Stronger Auth / Digital Signing (RSA -> {EC}DSA)

15 15Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 15 BLUE COAT PROXY SG SSL ARCHITECTURE

16 16Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SSL INTERCEPT

17 17Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 17 PERFORMANCE FACTORS

18 18Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SSL PERFORMANCE INFLUENCERS  Handshake –Protocol -> limited to no impact –Certificate Emulation -> expensive, one-time cost *  Asymmetric Key Exchange Cipher Algorithm –RSA vs DHE vs ECDHE -> DHE is high cost vs RSA/ECDHE Key Size –1024 vs 2048 vs 4096 -> low/moderate (2048) to high (4096) Certificate Digital Signing –RSA vs DSA -> low (only ~5% of sites today) Certificate Hash –MD5 vs SHA-1/2 -> low  Bulk Encryption –RC4 vs AES -> low  Load –Roughly linear up to 80%

19 19Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PERFORMANCE FACTORS ① Emulating Certificate Highest cost operation is the creation Emulated Certificate ② Wildcard Cert Cert collision preventing use of Emulated Cert ③ Key Exchange CPU Load RSA < ECDHE < DHE DHE 20x higher CPU load then ECDHE Highest Impact

20 20Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 20 BEST PRACTICES

21 21Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Upgrade to >= SG 6.5.6.1 Many new ciphers added in 6.5.6.1 including: ECDHE-RSA-AES128-SHA (0xC013) ECDHE-RSA-AES256-SHA (0xC014) ECDHE-RSA-AES128-SHA256 (0xC027) ECDHE-RSA-AES128-GCM-SHA256 (0xC02F) ECDHE-RSA-RC4-SHA (0xC011) 6.5.7.1 added ECDSA: ECDHE-ECDSA-AES128-SHA256 (0xC023) ECDHE-ECDSA-AES128-GCM-SHA256 (0xC02B) ECDHE-ECDSA-RC4-SHA (0xC007) ECDHE-ECDSA-AES128-SHA (0xC009) ECDHE-ECDSA-AES256-SHA (0xC00A)

22 22Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Disable DHE 6.5.4 DHE support was introduced but very CPU intensive 6.5.4.3 patch has CLI to disable: #co t -> ssl -> proxy dhe-ciphers disable Upgrade to >= 6.5.5.1, DHE for SSL proxy is now disabled by default (can still be enabled)  Reduce number of Emulated Certificates Upgrade to 6.5.5.1, use new CLI to increase certificate cache timeout to tune perf #co t -> ssl -> proxy set-cert-cache-timeout 72 hours to prevent Monday morning high load

23 23Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Wildcard certificates (eg *.google.com and others) Different servers have different certs (different expiration, keys, extensions, etc) SG’s emulated certificates are cached using “CN” as the key value SG is seeing these different certs all with the same CN, causing a collision in the certificate cache and forcing SG to re-emulate certificate Future certificate cache enhancement planned, use policy resolution below  Wildcard certificates Resolution Install the following policy (creates a unique instance for each certificate) ssl.forward_proxy(https) ssl.forward_proxy.splash_text("$(x-rs-certificate- serial-number)$(x-rs-certificate-valid-from)$(x-rs- certificate-valid-to)") Monitor efficacy using % certificate emulations (=SPS51 / (SPS51 + SPS61))

24 24Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  From VPM, edit SSL-Intercept layer Click on "Splash Text" and paste the below text in the box: $(x-rs-certificate-serial- number)$(x-rs-certificate-valid- from)$(x-rs-certificate-valid-to)

25 25Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BEST PRACTICES  Set Emulated Certificate Size to 1024 Blue Coat SG300 Series#conf t Enter configuration commands, one per line. End with CTRL-Z. Blue Coat SG300 Series#(config)ssl 192.168.13.4 - Blue Coat SG300 Series#(config ssl)proxy force- emulated-cert-keysize 1024 ok Valid values: auto, 1024 or 2048 Client side certificate but possible for server side to downgrade

26 26Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SIZING If you haven’t enabled SSL Intercept (15% HTTPS, 70% CPU, 6.5 SGOS) If you are upgrading to >= 6.5 HTTPS Utilization has gone up over time 10-15% reduction in throughput reduction in throughput independent of HTTP

27 27Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential ENCRYPTED TRAFFIC MANAGEMENT SOLUTIONS SSL visibility & full Proxy policy control for web traffic only Selective decrypt maintains privacy (BCWF categories) Feeds decrypted traffic to AV, DLP solutions via ICAP Single output stream – Encrypted TAP (optional) SSL visibility & full Proxy policy control for web traffic only Selective decrypt maintains privacy (BCWF categories) Feeds decrypted traffic to AV, DLP solutions via ICAP Single output stream – Encrypted TAP (optional) ProxySG SSL Visibility SSL visibility & policy control for ALL SSL traffic (all ports, all traffic) Selective decryption maintains privacy (Host Categorization) Standalone, high-performance appliance – up to 4Gbps SSL Multiple output streams –Enhances IDS/IPS, NGFW, DLP, SWG, security analytics / forensics, compliance, malware analysis / sandbox, etc. SSL visibility & policy control for ALL SSL traffic (all ports, all traffic) Selective decryption maintains privacy (Host Categorization) Standalone, high-performance appliance – up to 4Gbps SSL Multiple output streams –Enhances IDS/IPS, NGFW, DLP, SWG, security analytics / forensics, compliance, malware analysis / sandbox, etc.

28 28Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat ConfidentialCopyright © 2014 Blue Coat Systems Inc. All Rights Reserved.28 TROUBLESHOOTING

29 29Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential OPEN ISSUES  Cipher compatibility TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_DH_anon_WITH_RC4_128_MD5 (0x0018) -> MS Lync Desktop sharing Investigating Workaround : Bypass in SSL Intercept Layer  Reverse Proxy limitations ECDHE not currently supported Will be added in future release

30 30Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential TESTING TOOLS  Client Ciphers https://cc.dcsec.uni-hannover.de/  Server Ciphers https://www.ssllabs.com/ssltest/analyze.html

31 31Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential CPU LOAD  CPU monitor Enable –https://x.x.x.x:8082/Diagnostics/CPU_Monitor/statisticshttps://x.x.x.x:8082/Diagnostics/CPU_Monitor/statistics Create 5 min snapshots –KB3795 Don’t change the existing daily or hourly snapshot values

32 32Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential TRAFFIC MIX  Percentage HTTPS Statistics > Traffic Details > Traffic Mix

33 33Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential CERTIFICATE EMULATION STATISTICS (SG6.5.5.1) SPS51 Total certificates emulated2,264 SPS52 Total RSA 2048 bit key certificates emulated2,250 SPS53 Current cached emulated server certificates1,078 SPS54 Total emulated server certificates added to cache1,390 SPS55 Total emulated server certificates removed from cache due to timeout0 SPS56 Total emulated server certificates removed from cache due to maxsize0 SPS57 Total emulated server certificates removed from cache due to signature mismatch312 SPS58 Total emulated server certificates removed from cache due to config changes0 SPS59 Total emulated server certificates add to cache failures874 SPS61 Total server certificate cache successful lookups42,109 SPS62 Total proxy certificates emulated5 SPS63 Total certificate emulation failures0 % certificate emulation change = SPS51 / (SPS51 + SPS61) In steady state, % of new emulations should be very small SSL Statistics (in Sysinfo and SSL/Statistics URL) https://SG_IP:8082/SSL/statistics Certificate Emulation

34 34Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential SSL PROXY CERTIFICATE CACHE  Advanced URL https://SG_IP:8082/sslproxy/certcachehttps://SG_IP:8082/sslproxy/certcache SSL Proxy Certificate Cache URL_Path /sslproxy/certcache Certificate Cache Contents Number of cache entries: 1078 Common Name, Splash Text, Splash URL, Server Keyring rtax.criteo.com,, cloudfront.net,, www.bgov.com,, s3.wpc.edgecastcdn.net,, www.palottery.state.pa.us,, beacon.walmart.com,, *.linkedin.com, 020000000001456FAAB168CFFE4A Ap r 17 12:30:30 2014 GMT Apr 17 12:30:30 2015 GMT, beis.cc.iup.edu,, www.syncaccess.net,, *.widget.custhelp.com,062306473BAC372720E3496C661336F0Feb 28 00:00:00 2014 GMTMar 30 23:59:59 2015 GMT, ads.dotomi.com,02F7CASep 3 03:33:55 2014 GMTNov 5 14:50:00 2015 GMT, *.wer.microsoft.com,28DB34EB000100005898Apr 4 17:56:38 2013 GMTApr 4 17:56:38 2015 GMT, *.ebay.com,, *.googleusercontent.com,, *.reson8.com,D3C03378DC74A2ABF36132E69E273C45Jun 2 00:00:00 2014 GMTJul 21 23:59:59 2015 GMT, stage.tracker.springserve.com,, services.addons.mozilla.org,, *.tapad.com,024906Jun 2 08:10:18 2013 GMTSep 3 03:30:13 2016 GMT, *.dropbox.com,, $(x-rs-certificate-serial-number) $(x-rs-certificate-valid-from) $(x-rs-certificate-valid-to)

35 35Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential

36 36Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential THANK YOU FOR JOINING TODAY!  Please provide feedback on this webcast and suggestions for future webcasts to: john.dyer@bluecoat.com  Webcast replay and slide deck found here within 48 hours: https://bto.bluecoat.com/training/customer- support-technical-webcasts (Requires BTO log-in)

37 37Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential BLUE COAT CUSTOMER FORUMS  Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers  Research, post and reply to topics relevant to you at your own convenience  Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track  Access at forums.bluecoat.com and register for an account today!forums.bluecoat.com

38 38Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential QUICK SURVEY We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be re- directed to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you! Questions for Dennis?

39 39Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential Questions?

40 40Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL WEBCAST QUESTIONS  Q1:

Download ppt "1Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential PROXYSG SSL CRYPTO PROTOCOLS AND ALGORITHMS  Thank you for joining."

Similar presentations

Web security: SSL and TLS

Web security: SSL and TLS
Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service.

Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CP3397 ECommerce.

CP3397 ECommerce.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan. 2009 - July 2009) Department of.

Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan July 2009) Department of.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Configuring your users browsers. PRACTICAL EXERCISE - 1 We assume here that your LOCAL CACHE has been previously configured to peer with the JWCS. Advice.

Configuring your users browsers. PRACTICAL EXERCISE - 1 We assume here that your LOCAL CACHE has been previously configured to peer with the JWCS. Advice.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Similar presentations

Ads by Google