TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols Date: April

What is TLS/SSL ● Protocol layer below application layer ● Can work on top of TCP or UDP ● Any application protocol can work over TLS

Motivation Security features in various network layers – Network layer – IPSec and IKE – Transport layer - SSL/TLS – Application layer – PGP and many more Transport layer security provides end-to-end security without involving intermediaries and applications don't need to be modified too much

TLS in the TCP/IP suite Application Layer Data Link IP UDPTCP TLS Record Protocol TLS Data Protocol TLS Handshake Protocol TLS Change Cipher Spec TLS Alert Protocol

Encryption Basics Classes of Cryptographic Systems – Unkeyed – One-way functions, hash functions – MD5, SHA1 – Shared key encryption – DES, AES, 3DES, RC2, RC4, etc. – Public key encryption – RSA, DSA, FORTEZZA TLS uses all 3 kinds of encryption

TLS Features Privacy Integrity Authentication

Privacy Only communicating parties can interpret the content Cryptographically protects messages before leaving the sender Uses conventional cryptography with a shared key created dynamically

Integrity Content modified in transit is detected and discarded Each TLS PDU is affixed with a message authentication code (MAC) : Hash of the message – MD5 and SHA1 Shared secret Sequence number

Authentication Communicating parties are able to verify each other's identity Based on public key certificates Uses X.509 protocol for certificate management Client authentication is optional

A-PDU or less lossless Application Fragment Compress Add Message Authorization Code (MAC) Encrypt Add PCI TLS PDU TCP

Separate port strategy Separate TCP/UDP ports are used for secure versions of the application protocols fixed by IANA Standard naming convention is to use the un-secured application protocol name affixed with an 's' For Example https (443), imaps (993), ldaps (636) etc Client Server listening on TCP port 443 TCP Connection setup TLS Handshake HTTP PDU

Upward negotiation strategy Additional commands are added to the protocol to negotiate use of TLS. Same port can serve both secured and un-secured versions of the protocol Examples : Extended SMTP (with STARTTLS extension), HTTP v1.1 (using upgrade header field) Client Server listening on TCP port 25 TCP Connection setup SMTP EHLO TLS Handshake SMTP EHLO SMTP PDU STARTTLS

Content type Major version Minor versionCompressed length TLS PCI Encrypted Text/ Payload Encrypted MAC TLS Protocol Format TLSCipherText

TLS Protocol Format TLS Record Protocol TLS Data Protocol TLS Handshake Protocol TLS Change Cipher Spec TLS Alert Protocol

TLS Session and Connection TLS Connection – Used for actual cryptographically protected data transmission TLS Session – Association between two communication parties created using the TLS handshake protocol. Can be broken and resumed and shared among multiple TLS connections.

TLS Handshake Protocol Forms the core of TLS Allows a client and server to authenticate each other and to negotiate connection parameters like cipher suites and compression methods Initial transmissions in plaintext

TLS connection state elements Server and client random seeds Server write MAC key Client write MAC key Server write key Client write key Sequence numbers

client_hello server_hello Phase 1: Establish security capabilities. Phase 2: Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase. Phase 3: Client sends certificate if requested. Client sends key exchange. Clent may send certificate verification. Phase 4: Change cipher suite and finish handshake protocol. certificate server_key_exchage certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finishedrequired optional ClientServerTime

TLS ClientHello PDU

client_hello server_hello Phase 1: Establish security capabilities. Phase 3: Client sends certificate if requested. Client sends key exchange. Clent may send certificate verification. Phase 4: Change cipher suite and finish handshake protocol. Phase 2: Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase. certificate server_key_exchage certificate_request server_hello_done certificate client_key_exchange certificate_verify change_cipher_spec finished change_cipher_spec finishedrequired optional ClientServerTime

TLS Certificate PDU

client_hello server_hello Phase 1: Establish security capabilities. Phase 2: Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase. Phase 3: Client sends certificate if requested. Client sends key exchange. Clent may send certificate verification. certificate server_key_exchage certificate_request server_hello_done certificate client_key_exchange certificate_verify Phase 4: Change cipher suite and finish handshake protocol. change_cipher_spec finished change_cipher_spec finished ClientServerTime required optional

TLS Finished PDU

A typical TLS Webrequest Internet DNS TCP Connection setup TCP Connection SYN, SYN ACK TLS Handshake TLS ChangeCipherSpec HTTP TLS Connection TLS Session

A typical TLS Webrequest Internet TCP Connection setup SYN, SYN ACK TCP Connection TLS Connection HTTP TLS Session ClientHello, SessionID ServerHello, SessionID TLS ChangeCipherSpec HTTP

References yer_Security SSL and TLS - Theory and Practice by Rolf Oppliger [Artech house 2009] RFCs : 2246, 2818, 3207