MUD (D)TLS profiles for
IoT devicesMcAfee, Inc.Embassy Golf Link Business ParkBangaloreKarnataka560071Indiakondtir@gmail.comCitrix Systems, Inc.4988 Great America PkwySanta ClaraCA95054USAdanwing@gmail.comOPSWG WGThis memo extends Manufacturer Usage Description (MUD) to model DTLS
and TLS usage. This allows a network element to notice abnormal DTLS or
TLS usage which has been strong indicator of other software running on
the endpoint, typically malware.Encryption is necessary to protect the privacy of end users using IoT
devices. In a network setting, TLS and
DTLS are the dominant
protocols to provide encryption for IoT device traffic. Unfortunately in
conjunction with IoT applications rise of encryption, malware is also
using encryption which thwarts network-based analysis such as deep
packet inspection (DPI). Other mechanisms are needed to notice malware
is running on the IoT device.Malware frequently uses its own libraries for its activities, and
those libraries are re-used much like any other software engineering
project. Research indicates there are
observable differences in how malware uses encryption compared with
non-malware uses encryption. There are several interesting findings
specific to DTLS and TLS which were found common to malware: Older and weaker cryptographic parameters (e.g.,
TLS_RSA_WITH_RC4_128_SHA).TLS SNI and server certificates are composed of subjects with
characteristics of a domain generation algorithm (DGA) (e.g.,
www.33mhwt2j.net).Higher use of self-signed certificates compared with typical
legitimate software.Discrepancies in the server name indication (SNI) TLS extension
in the ClientHello message and the DNS names in the
SubjectAltName(SAN) X.509 extension in the server certificate
message.Discrepancies in the key exchange algorithm and the client public
key length in comparison with legitimate flows. As a reminder,
Client Key Exchange message has been removed from TLS 1.3.Lower diversity in TLS client advertised TLS extensions compared
to legitimate clients.If observable (D)TLS profile parameters are used, the following
discusses the favorable impact on network security:Although IoT devices that have a single or small number of uses
might have very broad communication patterns. In such a case, MUD
rules using ACLs on its own is not suitable for these IoT devices
but observable (D)TLS profile parameters can be used for such IoT
devices to permit intended use and to block malicious behaviour of
IoT devices.Several TLS deployments have been vulnerable to active
Man-In-The-Middle (MITM) attacks because of lack of certificate
validation. By observing (D)TLS profile parameters, a network
element can detect when the TLS SNI mismatches the SubjectAltName
and detect when the server's certificate is invalid, and alert those
situations.IoT device can learn a new skill, and the new skill changes the
way the IoT device communicates with other devices located in the
local network and Internet. In other words, if IP addresses and
domain names the IoT device connects to rapidly changes and MUD
rules using ACLs cannot be rapidly updated, observable (D)TLS
profile parameters can be used to permit intended use and to block
malicious behaviour of IoT device.This document extends MUD to model
observable (D)TLS profile parameters. Using these (D)TLS profile
parameters, an active MUD-enforcing firewall can identify MUD
non-compliant DTLS and TLS behavior that can indicate malware is running
on the IoT device. This detection can prevent malware download, block
access to malicious domains, enforce use of strong ciphers, stop data
exfiltration, etc. In addition, organizations may have policies around
acceptable ciphers and certificates on the websites the IoT devices
connect to. Examples include no use of old and less secure versions of
TLS, no use of self-signed certificates, deny-list or accept-list of
Certificate Authorities, valid certificate expiration time, etc. These
policies can be enforced by observing the (D)TLS profile parameters.
Enterprise firewall can use the IoT device's (D)TLS profile parameters
to identify legitimate flows by observation of (D)TLS sessions, and can
make inferences to permit legitimate flows and to block malicious flows.
The proposed technique is also suitable in deployments where decryption
techniques are not ideal due to privacy concerns, non-cooperating
end-points and expense.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and
only when, they appear in all capitals, as shown here."(D)TLS" is used for statements that apply to both Transport Layer
Security and Datagram Transport Layer
Security . Specific terms are used for any
statement that applies to either protocol alone.In Enterprise networks, protection and detection are typically done
both on end hosts and in the network. Host agents have deep visibility
on the devices where they are installed, whereas the network has broader
visibility. Installing host agents may not be a viable option on IoT
devices, and network-based security can only be used to protect such IoT
devices. (D)TLS profile parameters of IoT device can be used by
middle-boxes to detect and block malware communication, while at the
same time preserving the privacy of legitimate uses of encryption.
Middle-boxes need not proxy (D)TLS but can passively observe the
parameters of (D)TLS handshakes from IoT devices and gain good
visibility into TLS 1.0 to 1.2 parameters and partial visibility into
TLS 1.3 parameters. Malicious agents can try to use the (D)TLS profile
parameters as legitimate agents to evade detection but it becomes a
challenge to mimic the behavior of various IoT device types and IoT
device models from several manufacturers. In other words, malware
developers will have to develop malicious agents per IoT device type,
manufacturer and model (which will be several thousands), infect the
device with specific malware agent and will have keep up with the
updates to (D)TLS profile parameters of IoT devices. Further, the
malware command and control server certificates needs to be signed by
the same certifying authorities trusted by the IoT devices.This document specifies a YANG module for representing (D)TLS
profile. The (D)TLS profile YANG module provides a method for firewall
to observe the (D)TLS profile parameters in the (D)TLS handshake to
permit intended use and to block malicious behavior. This module uses
the common YANG types defined in , rules
defined in and cryptographic types
defined in .The (D)TLS profile parameters include the following:(D)TLS versions supported by the IoT deviceList of supported symmetric encryption algorithmsList of supported compression methodsList of extension typesList of client key exchange algorithms and the client public key
lengths in versions prior to (D)TLS 1.3List of trust anchor certificates used by the IoT device. Note
that server certificate is encrypted in (D)TLS 1.3 and the
middle-box without acting as (D)TLS proxy cannot validate the server
certificate.List of DHE or ECDHE groups supported by the clientList signature algorithms the client can validate in X.509 server
certificatesList of SPKI pin sets pre-configured on the client to validate
self-signed server certificates or raw public keysIf SNI mismatch is allowed or not, and if SNI mismatch is
allowed, the server names for which SNI mismatch is allowed.If the (D)TLS profile parameters are not observed in a (D)TLS session
from the IoT device, the default behaviour is to block the (D)TLS
session.This document augments the "ietf-mud" MUD YANG module defined in
for signaling the IoT device (D)TLS
profile. This document defines the YANG module
"reddy-opsawg-mud-tls-profile", which has the following tree
structure:In (D)TLS 1.3, full (D)TLS handshake inspection is not possible since
all (D)TLS handshake messages excluding the ClientHello message are
encrypted. (D)TLS 1.3 has introduced new extensions in the handshake
record layers called Encrypted Extensions. Using these extensions
handshake messages will be encrypted and network devices (such as a
firewall) are incapable deciphering the handshake, thus cannot view the
server certificate. However, a few parameters in the ServerHello are
still visible such as the chosen cipher. Note that Client Key Exchange
message has been removed from (D)TLS 1.3.To increase privacy, encrypted SNI prevents passive
observation of the TLS Server Name Indication and to effectively
provide privacy protection, SNI encryption needs to be used in
conjunction with DNS encryption (e.g., DNS-over-(D)TLS or DNS-
over-HTTPS). Firewall inspecting the (D)TLS 1.3 handshake cannot
decrypt encrypted SNI. If an IoT device is configured to use public
DNS-over-(D)TLS or DNS- over-HTTPS servers, the policy enforcement
point is moved to that public server, which cannot enforce the MUD
policy based on domain names (Section 8 of ). Thus the use of a public DNS-over-(D)TLS or
DNS- over-HTTPS server is incompatible with MUD. A local DNS server is
necessary to allow MUD policy enforcement on the local network ( and ).Middle-box needs to act as a (D)TLS 1.3 proxy to observe the
parameters of (D)TLS handshakes from IoT devices and gain good
visibility into TLS 1.3 parameters. The following steps explain the
mechanism to automatically bootstrap IoT devices with local network's
CA certificates and to enable the middle-box to act as a (D)TLS 1.3
proxy.Bootstrapping Remote Secure Key Infrastructures (BRSKI)
discussed in provides a
solution for secure automated bootstrap of devices. BRSKI
specifies means to provision credentials on devices to be used to
operationally access networks. In addition, BRSKI provides an
automated mechanism for the bootstrap distribution of CA
certificates from the Enrollment over Secure Transport (EST) server. The IoT device can use BRSKI to
automatically bootstrap the IoT device using the IoT manufacturer
provisioned X.509 certificate, in combination with a registrar
provided by the local network and IoT device manufacturer's
authorizing service (MASA). The IoT device authenticates to the local network using the
IoT manufacturer provisioned X.509 certificate. The IoT device
can request and get a voucher from the MASA service via the
registrar. The voucher is signed by the MASA service and
includes the local network's CA public key.The IoT device validates the signed voucher using the
manufacturer installed trust anchor associated with the MASA,
stores the CA's public key and validates the provisional TLS
connection to the registrar.The IoT device requests the full EST distribution of
current CA certificates (Section 5.9.1 in ) from
the registrar operating as a BRSKI-EST server. The IoT device
stores the CA certificates as Explicit Trust Anchor database
entries. The IoT device uses the Explicit Trust Anchor
database to validate the server certificate.The middle-box uses the "supported_versions" TLS extension
(defined in TLS 1.3 to negotiate the supported TLS versions
between client and server) to determine the TLS version.
During the (D)TLS handshake, If (D)TLS version 1.3 is used,
the middle-box ((D)TLS proxy) modifies the certificate
provided by the server and signs it with the private key from
the local CA certificate. The middle-box has visibility into
further exchanges between the IoT device and server which
enables it to inspect the (D)TLS 1.3 handshake, enforce the
MUD (D)TLS profile and can inspect subsequent network
traffic.The IoT device uses the Explicit Trust Anchor database to
validate the server certificate.The proposed technique empowers the middle-box to reject (D)TLS 1.3
sessions that violate the MUD (D)TLS profile.This example below contains (D)TLS profile parameters for a IoT
device. JSON encoding of YANG modelled data is used to illustrate the example.Security considerations in need to be
taken into consideration.This document requests IANA to register the following URIs in the
"ns" subregistry within the "IETF XML Registry" : TODODeciphering Malware’s use of TLS (without
Decryption)CiscoCiscoCisco