@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Slides:



Advertisements
Similar presentations
Web security: SSL and TLS
Advertisements

Lecture 6: Web security: SSL
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Cryptography and Network Security
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Cryptography and Network Security Chapter 17
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Transport-level and Web Security (SSL / TLS, SSH)
Secure Socket Layer (SSL)
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Security Essentials Chapter 5
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Cryptography and Network Security (SSL)
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
Web Security Network Systems Security
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 3: Securing TCP.
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.
@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.
Cryptography CSS 329 Lecture 13:SSL.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
Cryptography and Network Security
CSCE 715: Network Systems Security
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
CSE 4095 Transport Layer Security TLS
Cryptography and Network Security
Secure Web Application-SSL
SSL (Secure Socket Layer)
Chapter 7 WEB Security.
Security at the Transport Layer: SSL and TLS
CSCE 815 Network Security Lecture 16
The Secure Sockets Layer (SSL) Protocol
Chapter 7 WEB Security.
Cryptography and Network Security
Presentation transcript:

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013

@Yuan Xue SSL Overview Goal -- secure connection between client and server Data confidentiality Data integrity Source authentication Secure a connection vs. secure a datagram(message/packet) Connectionless security service  PGP  secure a single message transmission Connection-oriented security service  SSL  Connection  reliable data transmission  Secure a data stream  Data in this stream share the same key(s)  Need handshake for key establishment SSL is built on top of TCP Link Network Transport Application SSL PGP TCP

@Yuan Xue SSL Security Solution Overview How? Authentication  public-key based authentication Confidentiality  Symmetric encryption Integrity  Symmetric-key based MAC Two Main “Phases” Handshake Data communication Authentication Key Distribution Data Communication Certificate Shared secret key 1 for encryption Shared secret key 2 for MAC Initialization vector for mode of operation

@Yuan Xue SSL Design Data Communication with Confidentiality and Integrity Application data fragment MAC Encrypted Buffer TCP

@Yuan Xue SSL Design Authentication and Key Distribution Before we get into the detailed design Who should get authenticated?  Server? Client? Both?  Let’s start with server authentication What are the authentication mechanisms?  Symmetric-key, asymmetric-key  Let’s go with asymmetric-key-based authentication  And public-key-based key distribution

@Yuan Xue Public-Key-Based Secret Key Distribution Goal: Alice and Bob shares a secret key, no one else Comment: Bob does not need to know Alice’s identity Let’s look at a simple solution Alice Bob KU B E[KU B, K s ] Any security problem?

@Yuan Xue Let’s see how SSL solve the problem…

@Yuan Xue SSL Design Authentication and Secret Key Establishment Use public key to distribute secret key Use certificate to authenticate Bob, bind Bob with his public key K = Hash (S, R Alice, R Bob ) Nonce Pre-master Secret K = Hash (S, R Alice, R Bob ) Master Secret AliceBob I want to talk to you, R Alice Certificate, R Bob E(KU bob,S) Secure communication via keys derived from K Let’s go over all the previous attacks, would they work?

@Yuan Xue SSL Design Details Key hierarchy Master secret key: between client and server Session secret key: for each connection Choice of cryptographic algorithms Symmetric ciphers  Block ciphers: DES, 3DES, IDEA, etc  Stream ciphers: RC4 (RC4-40, RC4-128) MACs  HMAC? -- Well … a similar one, replace XOR with concatenation  Either MD5 or SHA-1 How does Bob know what ciphers Alice wants to use? Other considerations Authentication of client What if RSA can not be used?

@Yuan Xue Finally … Full Version of SSL SSL consists of two layers of protocols SSL Record Protocol  Basic security services to higher layer protocols, e.g., HTTP SSL Handshake Protocol  Server and client authenticate each other  Negotiate encryption, MAC algorithm, and cryptographic keys SSL Change Cipher Spec Protocol SSL Alert Protocol Confidentiality Message integrity Management of SSL exchange SMTP, etc

@Yuan Xue SSL session vs. SSL connection Session state  Session ID  Master secret key  Cipher spec data encryption algorithm (DES, IDEA..) hash function (MD5, SHA-1, … ) cryptographic attribute (hash size)  peer certificate  compression method  Is resumable Whether the session can be used to initiate new connections Session Connection Connection state  Server and client random  Server write MAC secret The secret key used in MAC send by the server  Client write MAC secret  Server write key Encryption key for data encrypted by the server and decrypted by the client  Client write key  Initialization vectors  Seq number

@Yuan Xue SSL Record Protocol Services Confidentiality – symmetric encryption Message Integrity – MAC Application data fragment MAC Encrypted compress Encrypted SSL record header Content type Version Compressed length

@Yuan Xue MAC Structure 36 in hex repeated 5C in hex repeated MAC(MAC_write_secret,M) = H[(MAC_write_secret || Pad2) ||H[(MAC_write_secret || Pad1) ||seq_num|| type||length||M]] Similar to HMAC Difference – SSL uses concatenation, HMAC uses XOR

@Yuan Xue SSL Handshake Protocol Function Client authenticates server; server authenticate client (optionally) Negotiate encryption, MAC algorithm, and cryptographic keys Message format Type: one of the 10 messages  Hell_request; client_hello; server_hello;etc.. Length Content: parameters

@Yuan Xue

Comparison AliceBob I want to talk to you, R Alice Certificate, R Bob E(KU bob,S) Secure communication via keys derived from K E(KU bob,S) Certificate, R Bob Secure communication via keys derived from K

@Yuan Xue Nonce: Timestamp(32 bit) + random number(28 bit)  Prevent replay attack A client sends a client_hello message specifying highest TLS protocol version it supports a random number session ID a list of suggested cipher suites compression methods. T The server responds with a server_hello message containing chosen protocol version a random number (independent from the one from the client) chosen cipher suite compression method from the choices offered by the client. The server may also send a session id to perform a resumed handshake If client’s session ID is nonzero  server use the same one Otherwise  server picks a new session

@Yuan Xue CipherSuite Key exchange method RSA Fixed Diffie-Hellman: based on public parameter in server’s CA; fixed secret key Ephemeral Diffie-Hellman: one time secret key; most secure D-H options Anonymous Diffie-Hellman: no authentication, vulnerable to man-in-the-middle attacks CipherSpec Cipher Algorithm: RC4; RC2; DES, 3DES, … MAC Algorithm: MD5 or SHA-1 CipherType: MD5 or SHA-1 HashSize; IV Size (for CBC mode)…

@Yuan Xue Server authentication and key exchange Certificate message  Required for all authenticated key change, except anonymous D-H  For Fixed D-H, it contains servers public D-H parameters Server_key_exchange message  Not used when (1) fixed D-H, certificate has parameter; (2) RSA key exchange  Needed: (1) Anonymous D-H; (2) Ephemeral D-H; (3) RSA key exchange, but server only has a signature-only RSA key.  Plus a signature: hash (client.random||server.random||ServerParameters) Certificate_request message  If a non-anonymous server wants to authenticate client Server_hello_done message  No parameter

@Yuan Xue Goal: Client Authentication and Key exchange Client verifies CA from server Check server_hello parameters Certificate If server requested it Client_key_exchange – depend on the key exchange type RSA: generate 48-byte pre-master secret S, then encrypt  E(KU bob,S) Ephemeral or anonymous D-H: client ’ s public D-H parameters Fixed D-H: null, parameters are in certificate Certificate_verify Explicit verification of a client certificate; only sent following any client certificate that has signing capability

@Yuan Xue Change_cipher_spec Master Secret Creation Master_secret = MD5(pre_master_secret||SHA(`A ’ ||pre_master_secret||client.random||server.random ))|| MD5(pre_master_secret||SHA(`BB ’ ||pre_master_secret||client.random||server.random)) ||MD5(pre_master_secret||SHA(`CCC ’ ||pre_master_secret||client.random||server.ran dom)) Finished – verifies key exchange and authentication are successful The content of the finished message is the concatenation of two hash values  MD5(master_secret||pad2||MD5(handshake_msg||sender||master_secret||pad1))  SHA1(master_secret||pad2||SHA1(handshake_msg||sender||master_secret||pad1)) Generation of session keys (e.g., client write MAC secret … ) Remember HMAC? Change Cipher Spec Protocol

@Yuan Xue Protocol messages - WiredShark Output

@Yuan Xue Other two protocols Change Cipher Spec Protocol Use SSL record protocol Update the cipher suite to be used on this connection Alert Protocol Control and management protocol

@Yuan Xue SSL vs. TLS Netscape originated SSL v2 in Navigator 1.1 in 1995 SSL v2 is flawed in a variety of ways SSL v3 is most commonly deployed IETF formed a TLS working group “The TLS protocol itself are based on the SSL 3.0 Protocol Specification as published by Netscape. The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0)” TLS mandated the use of DSS instead of RSA Further Reading

@Yuan Xue SSL in practice SSL is used in many services SSL protocol can be used to protect the transmission for any TCP/IP service. SSL protects the HTTP protocol  HTTPS  Details in Web Security Class SSL protects sending and receiving (SMTP,POP3,etc)

@Yuan Xue Further Reading RFC2246 TLS: RFC2818 HTTP over TLS: