This project is part of UCLA ACM Cyber's series of quarterly projects where a topic within cybersecurity is chosen for exploration.
As the name suggests, this project deals with Transport Layer Security (TLS), and specifically attempts to implement TLS v1.3 for a better understanding of how a secure communication channel is set-up across the web.
You may wish to first create a virtual environment (see https://docs.python.org/3/tutorial/venv.html for a tutorial on venvs) so as to avoid polluting your global Python library space.
The next step is to install the Python dependencies by running the following in the root directory of the repo
pip install -r requirements.txtFinally, run the module by running the command
python3 -m tlsimplYou should see the following
Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: RSA-PSS+SHA384
Shared Signature Algorithms: RSA-PSS+SHA384
Supported groups: x25519
Shared groups: x25519
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
TLS v1.3 connection established!
Send something to the openssl server >
whereby, after inputing data, you should be able to see that the server received the response as follows, and prompts for how the server should respond
TLS v1.3 connection established!
Send something to the openssl server > Hello!
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 23
Inner Content Type = ApplicationData (23)
Hello!
Now you are the server, pls reply >
After we determine the server's response, we can observe the trace for it, and the cycle repeats again
Now you are the server, pls reply > Hi, how are you doing?
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 40
Inner Content Type = ApplicationData (23)
Data received from the server: b'Hi, how are you doing?\n'
TLS v1.3 connection established!
Send something to the openssl server >
This implementation includes the generation and derivation of handshake and application keys, as they form the crux of why TLS v1.3 exists - to create a secure communication channel between the client and server.
As is required by the specification, other
However, the following simplifications are made for this project
- We fix a particular cipher suite (TLS_AES_256_GCM_SHA384) for symmetric encryption, as well as some other cryptography-related parameters (such as the curve for the elliptic curve encryption)
- We ignore a number of server extensions e.g. SUPPORTED_VERSIONS which are not particularly important to the handshake / key exchange process
- We do not verify the server's certificate (at least for now)
Future work for this project includes the following
- Verify the server's ceritificate
- Accommodate cipher suite negotiation - this will require accepting Hello Retry Requests
- Leverage multi-threading upon receiving multiple blocks of encrypted data from the server for decryption
The authors of this fork of the project are Teong Seng Tan, Prabvhir Babra, and Luca Tineo.
Credit is also due to the leads of this ACM Cyber Lab - Jason An, Mark Epstein, Gary Song and Arnav Vora - for providing the base repo from which this repo was forked.
Other significant references include https://tls13.xargs.org/.