TLS Traffic Visibility

TLS 1.3 has created a problem for enterprise data centers known as the TLS 1.3 traffic visibility problem, or the PFS session visibility problem (where PFS is short for “perfect forward secrecy”). The latest version of the TLS protocol has discontinued the use of a static RSA key for key exchange, leaving Ephemeral DH (DHE) and Ephemeral ECDH (ECDHE) as the only key exchange primitives based on asymmetric cryptography. These primitives provide forward secrecy, but make it impossible to inspect TLS traffic in the intranet by provisioning a middlebox with a static RSA key, as is done for earlier versions of protocol. Since traffic inspection is necessary for essential tasks such as troubleshooting, attack detection and compliance audits, enterprises cannot migrate to TLS 1.3 without a solution to this problem.

The following series of blog posts discusses the problem and proposes three variants of a Pomcor visibility solution based on the establishment of an (EC)DHE visibility shared secret (VSS) between the TLS server and a passive middlebox. It also provides a survey of traffic visibility solutions for both TLS 1.2 and TLS 1.3 and a discussion of the related Multiple Protection State problem in the last post.

1. Reconciling Forward Secrecy with Network Traffic Visibility in Enterprise Deployments of TLS 1.3. This post proposes the original Pomcor visibility solution, applicable to the (EC)DHE key exchange mode of TLS 1.3, where the TLS server and the middlebox use ephemeral key pairs to establish the VSS and use the bits of the VSS to independently derive the server’s TLS private key, then the TLS shared secret.
2. Protocol-Level Details of the TLS 1.3 Visibility Solution. This post provides full details of the original Pomcor visibility solution, and shows an interleaving of solution steps with TLS messages.
3. Extending the TLS 1.3 Visibility Solution to Include PSK and 0-RTT. This post extends the Pomcor visibility solution to all three key exchange modes of TLS 1.3, and introduces a Secret Transmission (ST) variant of the solution where the bits of the VSS are used to derive an AEAD key and AEAD nonces for protecting messages transmitting the TLS 1.3 traffic secrets from the TLS server to the visibility middlebox. It refers to the original variant as the Secret Derivation (SD) variant.
4. A Two-Version Visibility Solution for TLS 1.2 and TLS 1.3 based on a Handshake-Agnostic Middlebox. This post introduces the two-version (2V) variant of the Pomcor visibility solution, which is applicable to both TLS 1.2 and TLS 1.3. As in the ST variant, the bits of the VSS are used to derive an AEAD key and AEAD nonces, but the AEAD key and nonces are used to encrypt protection states that the server sends to the middlebox, instead of traffic secrets. The post also shows how the VSS can be precomputed in all three variants of the Pomcor visibility solution to avoid increasing the latency of the TLS handshake.
5. A Survey of Existing and Proposed TLS Visibility Solutions. This post provides a survey of TLS visibility solutions for TLS 1.2 and TLS 1.3. It also describes the Multiple Protection State problem, which prevents some PFS visibility solutions that work in TLS 1.2 from working in TLS 1.3.

The following post discusses a response to the last post of the series received from the Nubeva:

• Nubeva Explains How It handles TLS 1.3 Key Updates in Response to Pomcor Blog Post.

The following post shows how the “early data” or “0-RTT” feature of TLS 1.3 can be used by an attacker as an encrypted steganographic channel, and how two of our visibility solutions can mitigate this risk:

• The 0-RTT Feature of TLS 1.3 Can Be Used As an Encrypted Steganographic Channel to Operate a Backdoor into an Enterprise Network.

Background materials in chronological order:

• T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008.
• R. Housley and R. Droms. TLS 1.3 Option for Negotiation of Visibility in the Datacenter. draft-rhrd-tls-tls13-visibility-01, March 2018.
• E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018.
• European Telecommunications Standards Institute (ETSI). Middlebox Security Protocol; Part 3: Enterprise Transport Security. August 2019.
• Center for Cybersecurity Policy and Law. Enterprise Workshop Summary Report. Held September 24, 2019.
• National Security Agency (NSA). MANAGING RISK FROM TRANSPORT LAYER SECURITY INSPECTION. Cybersecurity Info Sheet, December 2019.
• Jesse Rothstein, ExtraHop. The Network Is Going Dark: TLS 1.3 and Security Operations Visibility. Blog post with link to presentation at RSA 2020. March 2020.
• National Institute of Standards and Technology (NIST). Virtual Workshop on Challenges with Compliance, Operations, and Security with TLS 1.3. Held September 25, 2020.
• Paul Barrett, Enterprise Netscout Systems. Managed Diffie-Hellman. Presentation at NIST workshop held September 25, 2020.
• Steve Perkins, Nubeva. Symmetric Key Intercept for TLS1.3 (and Legacy) Decrypted Visibility. Presentation at NIST workshop held September 25, 2020.
• Nancy Cam-Winget, Cisco. Collaborative Security in an Encrypted Internet. Presentation at NIST workshop held September 25, 2020.
• National Security Agency (NSA). Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations. Cybersecurity Advisory, January 2021.