Testing TLS 1.3 Implementations Against Common Criteria for Information Technology Security Evaluation : Using TLS-Attacker to automate collaborative Protection Profile tests

Tacchi Mondaca, Antonello

January 2024

In today’s digital society where all daily actions are performed over the internet, there is an ever increasing need to ensure security when dealing with sensitive information. The default standard for securing communications over the internet,the Transport Layer Security (TLS) protocol, was used for over 90 % of all traffic communication in 2020. TLS has also in recent years received an upgrade, with the new version being 1.3, which introduced substantial changes in its communication protocol. As such, it is of vital importance to ensure that its current standard manages to ensure continued security when using encrypted communications over the internet in accordance with international standards, such as the Common Criteria (CC) standard. This leads us to the problem of how to ensure that evaluation of TLS implementations are done efficiently while ensuring the quality of the evaluation. More, specifically we aim to see how we can automate parts of the evaluation process by creating tests according to the requirements of the Supporting Document (SD) of the CC standard. In this paper we create various tests according to the CC standard for TLS 1.3 implementations that can be automatically run in order. We then use the OpenSSL command line tool as an implementation and run it against our created tests. This was done by using the TLS-Attacker testing framework to not only establish TLS handshakes as either server or client, but also edit which parameters are accepted and the created data packets themselves to test how the implementation handles specific changes in the handshake. The result of the experiment are a series of tests which evaluates whether or not a TLS 1.3 implementation fulfills the requirements set by the CC standard. Our subset of tests covers client and server tests and evaluates an implementation’s use of ciphersuites, named groups, curves, and session resumption. Our results provide a base for creating the remaining tests for TLS 1.3 which is readily extendable through the use of the testing framework, TLS-Attacker. Remaining tests include the use of certificates, as well as Datagram Transport Layer Security (DTLS) for server and client, which could be the focus for future work. / I dagens samhälle där mer och mer handlingar och transaktioner sker digitalt finns det ett stigande behov av att säkerställa säkerheten när känslig information hanteras. Den vanligaste standarden för att säkra kommunikation över internet, TLS, användes i över 90% av all trafikkommunikation år 20202. TLS har också under de senaste åren uppgraderats till version 1.3, vilket introducerade betydande ändringar i dess kommunikationsprotokoll. Det är därför av avgörande vikt att säkerställa att den nuvarande standarden klarar att säkerställa säkra krypterade kommunikationer över internet enligt internationella standarder, såsom CC standarden. Detta leder oss till problemet med hur vi ska säkerställa att utvärderingar av TLS utförs på ett effektivt och smidigt sätt och samtidigt upprätthåller kvaliteten på utvärderingen. Mer specifikt ämnar vi att se hur vi kan automatisera delar av utvärderingsprocessen genom att skapa tester enligt kraven i SD för CC standarden. I denna avhandling skapar vi olika tester enligt CC standarden för TLS 1.3 implementationer som kan köras automatiskt i ordning. Vi använder sedan OpenSSL kommandotolken som en TLS implementation och kör den mot våra skapade tester. Detta utfördes med hjälp av TLS-Attackers testramverk för att inte endast etablera TLS-handskakningar som antingen server eller klient, utan även redigera vilka parametrar som accepteras samt vilka datapaket som sänds, och hur implementationen hanterar ändringar under handskakningen. Resultatet av experimentet är en serie tester som utvärderar huruvida en TLS 1.3 implementation uppfyller kraven som ställs av CC standarden. Vår delmängd av tester täcker klient- och servertester, och utvärderar en implementations användning av chiffersviter, grupper, kurvor och återupptagande av sessioner. Våra resultat ger en bas för att skapa återstående tester för TLS 1.3 vilka kan utökas genom användning av testramverket, TLS-Attacker. Återstående tester inkluderar användning av certifikat, samt DTLS för server och klient, vilket kan vara fokus för framtida arbete.

Common Criteria

Transport Layer Security 1.3

Security Target

Target of Evaluation

Common Criteria

Transportlagersäkerhet 1.3

Säkerhetsmål

Mål för Utvärdering

Computer and Information Sciences

Data- och informationsvetenskap

Multi-level policy in the Baltic Sea : An Environmental Policy Integration analysis of the Swedish Exclusive Economic Zone

Miyatani, Johan

January 2021

It is no secret that policy, to a large degree, informs what policy objectives should and can be pursued given a sector or policy domain. However, what happens when multiple levels of policy exist and regulate the same geographical area? The present study explores how complex multi-leveled policy areas affect Environmental Policy Implementation (EPI) and what happens when policy objectives from one level stand against policy objectives on another. By looking at national, supranational, and international policy governing the Swedish Exclusive Economic Zone (SEEZ) and comparing these to the Swedish government decisions on the Nord Stream I and II pipelines (2009 and 2018); the present study has explored to what extent policy objectives and underlying frames from the different policy levels have affected the decisions. The study has worked through the theoretical lenses of Environmental Policy Integration and Frame theory; and has applied thematic analysis and frame analysis methods. The study has concluded that, while policy objectives reflecting strong EPI exist in national policy, the weak EPI of the supranational and international policies policy objectives makes it implausible for effective EPI to be the outcome of decisions in the SEEZ. Without a strong value hierarchy prioritizing environmental objectives, it is unlikely that the Baltic Sea, or other similar multi-leveled policy areas, can achieve sustainable development.

Baltic Sea policy

Policy objectives

Environmental Policy Integration

Frame analysis

Thematic analysis

Environmental policy objectives

Energy policy objectives

Security policy objectives

Nord Stream pipelines

Östersjöpolitik

Politiska mål

Miljöpolicyintegrering

Ramanalys

Tematisk analys

Miljömål

Energimål

Säkerhetsmål

Rörledningarna Nord Stream

Political Science

Statsvetenskap