iOS9 ATS on Amazon AWS Elastic Load Balancers
Since Apple is introducing App Transport Security (ATS) with iOS 9 and OS X 10 making effort for best security practices. For developers it means (according to iOS Developer Library):
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn’t follow this requirement, an error is thrown.
Assuming basic knowledge with AWS ELB (read the previous article on High-grade Encryption with Amazon AWS Elastic Load Balancers),
what needs to be done is:
- make sure to use TLS 1.2 ONLY
- enable FS forward secrecy. In Transport Layer Security (TLS), Diffie–Hellman key exchange-based PFSs (DHE-RSA, DHE-DSS) and elliptic curve Diffie–Hellman-based PFSs (ECDHE-RSA, ECDHE-ECDSA) are available.
ECDSA keys are something to look forward in future (only <1% ECDSA keys in use, as majority keys are RSA keys)
- with ECDSA you can get the same level of security as RSA but with smaller keys
- smaller keys have faster algorithms for generating signatures because the math involves smaller numbers
- smaller public keys mean smaller certificates and less data to pass around to establish a TLS connection
- ECDSA keys do NOT have yet hardware acceleration
This means quicker connections and faster loading times on websites using ECDSA key, but existing software uses hardware-accelerated RSA & AES, so at the moment the speed is not the major factor.
Lets have a look at cypher candidates TLS 1.2 cyphers:
DHE-RSA-AES256-SHA. This means DHE for key exchange, RSA for server certificate authentication, 256-bit key AES for the stream cipher, and SHA for the message authentication.
And the winner is ECDHE-RSA-AES128-GCM-SHA256
The best option here is (my optinion)
- ECDHE is faster than any other DH variants and is a standard already (simple DH not widely adopted because its slower)
- we use RSA key, considering switching to ECDSA in near-future
- AES128 is considered same security level as AES256 read here or here there are number of flaws in AES256 also the reason itself why AES192 & AES256 exists is mostly not ‘because they are stronger encryption’ but due to bureocracy (3 security levels needed).
- choose suite with GCM (Galios/Counter Mode) instead of CBC Mode because GCM faster see intel document on openssl performance
Breaking compatibility (DES-CBC3-SHA)
- If u have browser access, some old browsers might lack TLS 1.2 support, for example default Android 4.4 (and lower) browser will fail to connect.
- AES and ECDHE based suites are available if IE >= 7 AND OS >= Windows Vista. AES does not exist with IE8 on WinXP.
To keep compatibility with Windows XP (and other old software) try enabling the DES-CBC3-SHA cypher, it is slow but still considered secure.
TLS 1.3, Mobile specifics, chacha(cha)?
Since Apple limits TLS to 1.2 looking into future there is already TLS 1.3 draft that solves few remaining TLS problems:
- TLS 1.3 reduces the handshake (latency)
- It is not 100% but current iOS does support hardware accelerated AES, yet another reason to select RSA+AES, and ofc. modern desktop CPUs do have AES enc/dec.
- ChaCha20-Poly1305 cypher is three times faster than AES-128-GCM on mobile devices. Spending less time on decryption means faster page rendering and better battery life blog.cloudflare.com. On desktop computers with hardware AES support, AES-128-GCM is still the faster choice. Unfortunately AWS ELB does not support ChaCha20 cypher atm.
- Improving OpenSSL Performance document
- SSL Checker www.ssllabs.com
- DHE/ECDHE Wikipedia
- SSL/TLS cipher names
- SHA-1 known broken since 2005
- Transport Layer Protection Cheat Sheet
- Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program 2880823
- Is TLS fast https://istlsfastyet.com/
- Do the ChaCha by CloudFlare document
- Guess why we’re moving to 256-bit AES keys blog.agilebits.com
- IE Supported Cipher Suites github