Advanced Client/Server Authentication in TLS

Slides:



Advertisements
Similar presentations
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Advertisements

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
A Survey of WAP Security Architecture Neil Daswani
Using Digital Credentials On The World-Wide Web M. Winslett.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Proposed Transport Layer Security (TLS) Evidence Extensions Russ Housley IETF 67 – TLS WG Session.
Web Security : Secure Socket Layer Secure Electronic Transaction.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
The Secure Sockets Layer (SSL) Protocol
TOPIC: HTTPS (Security protocol)
TLS authentication using ETSI TS and IEEE certificates
Web Security CS-431.
IT443 – Network Security Administration Instructor: Bo Sheng
CSCI 555 Adv Computer Security
Kent Seamons Brigham Young University Marianne Winslett, Ting Yu
Cryptography and Network Security
Secure Sockets Layer (SSL)
CSCE 715: Network Systems Security
COMP3220 Web Infrastructure COMP6218 Web Architecture
GSS-API based Authentication and Key Establishment in TLS
CS691 M2009 Semester Project PHILIP HUYNH
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
CSE 4095 Transport Layer Security TLS
Cryptography and Network Security
MIDP Application Security
CS 465 TLS Last Updated: Oct 31, 2017.
Cryptography and Network Security
Tim van der Horst, Tore Sundelin, Kent Seamons, and Charles Knutson
SSL (Secure Socket Layer)
Chapter 7 WEB Security.
Security at the Transport Layer: SSL and TLS
CSCE 815 Network Security Lecture 16
SSL Protocol Figures used in the presentation
The Secure Sockets Layer (SSL) Protocol
A Programmer’s Guide to Secure Connections
Chapter 7 WEB Security.
Transport Layer Security (TLS)
Protecting Privacy During On-line Trust Negotiation
Advanced Computer Networks
Cryptography and Network Security
Policy Language Requirements for Trust Negotiation
Presentation transcript:

Advanced Client/Server Authentication in TLS Adam Hess, Jared Jacobson, Hyrum Mills, Ryan Wamsley, Kent E. Seamons, Bryan Smith Internet Security Research Lab Brigham Young University http://isrl.cs.byu.edu seamons@cs.byu.edu Network and Distributed System Security Symposium February 7-8, 2002 San Diego, CA

Overview Motivation Trust negotiation Trust negotiation protocol vs. strategy TLS client/server authentication Trust negotiation in TLS (TNT) protocol Future work Conclusions

Motivation: Trust Establishment Trust establishment between strangers in open system. The client and server are not in the same security domain. Identity is irrelevant to the access control decision. Access control is often based on attributes of the client or server other than identity. Examples: citizenship, clearance, job classification, group memberships, licenses, client’s role within an organization, etc.

Digital Credentials A credential is the vehicle for carrying attribute information reliably. A credential contains attributes of the credential owner asserted by the issuer (attribute authority). Credentials may contain sensitive information and should be treated as protected resources.

Access Control Policies The disclosure of a sensitive credential is governed by an access control policy that specifies credentials that must be received from another party prior to disclosing the sensitive credential to that party. Policies themselves may be disclosed so that the participants can discover the requirements for establishing trust. Policies may be sensitive. Support for sensitive policies using a policy graph (Seamons et al., NDSS 2001).

Trust Negotiation The iterative exchange of digital credentials between two negotiation participants in order to gradually establish trust. Begin by exchanging less sensitive credentials. Build trust gradually in order to exchange more sensitive credentials.

Trust Negotiation Example Show me your reseller license along with your credit card number or your CPN member card. You are qualified to be exempt from sales tax. Here is my Better Business Bureau Certificate. Here is my credit card number. Here’s my reseller license. I have a credit card. But prove you are member of Better Business Bureau first. I request to be exempt from sales tax. Nowadays, E-business over the Internet is developing very fast. Usually the service of a server is not available to just anybody. A certain level of trust should be established by a client can get access to the service. Currently the dominant approach is that a client either create an account in the server Landscape Designer Champaign Prairie Nursery

Negotiation Protocol vs. Strategy Protocol – defines the ordering of messages and the type of information messages contain. Strategy – controls the exact contents of messages. Which credentials to disclose and when to disclose them Which credentials to request and when to request them When to terminate a negotiation Goal: a single trust negotiation protocol capable of supporting multiple, interoperable negotiation strategies (Yu et al., CCS 2001). Negotiation strategy family - all strategies within a negotiation strategy family can interoperate.

TrustBuilder Trust Negotiation Architecture Negotiation Strategy Negotiation Strategy Negotiation Strategy Negotiation Strategy Negotiation Strategy Negotiation Strategy TrustBuilder Protocol TrustBuilder Protocol HTTPS TNT HTTPS TNT

Trust Negotiation Protocol Requirements Exchange credentials and policies Confidential communication to safeguard contents from an eavesdropper Verify credential contents Prove ownership of private keys

Trust Negotiation in TLS (TNT) TLS-based protocol for trust negotiation Result from an analysis of the SSL/TLS handshake protocol for its suitability as a protocol for trust negotiation. TLS provides an option for client/server authentication using certificates Goal: extend TLS client/server authentication to support trust negotiation

TLS Handshake Protocol using RSA Key Exchange Client Finished ChangeCipherSpec CertificateRequest ServerHelloDone Server ClientHello ServerHello Certificate ClientKeyExchange CertificateVerify

TLS Handshake Protocol Hello messages: Client Server ClientHello ServerHello

TLS Handshake Protocol Server certificate: Client Server Certificate CertificateRequest ServerHelloDone

TLS Handshake Protocol Client certificate: Client Server Certificate ClientKeyExchange CertificateVerify

TLS Handshake Protocol Conclusion: Client Server ChangeCipherSpec Finished Finished ChangeCipherSpec

Limitations in TLS Authentication TLS client/server authentication has limitations for use in establishing trust between strangers. Certificates are exchanged in plain text, allowing an eavesdropper access to sensitive certificates. The client and server each disclose a single certificate chain to each other. The server specifies a list of distinguished names of certifying authorities that the server trusts. In contrast, the client has no such opportunity.

Limitations in TLS Authentication The server discloses its certificates before the client discloses a certificate. The client always receives a certificate from the server before it must disclose a certificate. However, server certificate ownership is not established when the client certificate is disclosed. There is no facility for requesting additional certificates from the client or server during the handshake.

Extend TLS Authentication to Support Trust Negotiation Extend the TLS handshake protocol to function as a trust negotiation protocol. TNT leverages existing and proposed features of the TLS handshake protocol. Client hello and server hello extensions TLS rehandshake Session resumption

TLS Hello Message Extensions Currently, there is a proposal to the IETF to extend the hello messages such that a TLS client and server can communicate new capabilities to each other. TNT makes use of these extensions to indicate support for trust negotiation and to specify the trust negotiation strategy family to be used during the negotiation. The client submits a list of possible negotiation strategy families, and the server responds with a single selection.

TLS Rehandshake In the context of an encrypted TLS session, either the client or the server may initiate a rehandshake. The server desires further certificates from the client for purposes of authentication or authorization. Cipher suite upgrading Replenishment of keying material Trust negotiations involving sensitive credentials and policies must be conducted over a secure channel in order to remain confidential. The initial TLS handshake is not confidential. TNT is designed to occur in the context of a TLS rehandshake.

TLS Session Resumption Session resumption is an optimization that allows a client and server to resume a session without repeating expensive cryptographic operations. The server maintains a cache of SSL session IDs and the master secret used to generate keying material. In TNT, once a trust negotiation succeeds during a rehandshake, the client and server conclude using the session resumption optimization, thus avoiding the need to establish a new master secret. This same approach should be adopted in the TLS standard for any TLS rehandshake.

HelloNegotiationRequest TNT Protocol Client Server HelloNegotiationRequest ClientHello ServerHello Certificate Overview: * CertificateVerify Policy * ServerTurnDone + Certificate CertificateVerify * Policy * ClientTurnDone NegotiationDone ChangeCipherSpec Finished ChangeCipherSpec Finished

HelloNegotiationRequest TNT Protocol Hello messages: Client Server HelloNegotiationRequest ClientHello ServerHello

TNT Protocol Server certificate: Client Server * Certificate CertificateVerify * Policy ServerTurnDone

TNT Protocol Client certificate: Client Server * CertificateVerify Policy * ClientTurnDone

TNT Protocol Negotiation: + * ClientTurnDone Policy CertificateVerify Server ServerTurnDone +

TNT Protocol Conclusion: Client Server NegotiationDone ChangeCipherSpec Finished Finished ChangeCipherSpec

HelloNegotiationRequest TNT Protocol Client Server HelloNegotiationRequest ClientHello ServerHello Overview: Certificate * CertificateVerify Policy * ServerTurnDone + Certificate CertificateVerify * Policy * ClientTurnDone NegotiationDone ChangeCipherSpec Finished ChangeCipherSpec Finished

Overcoming TLS Limitations TNT overcomes the limitations in TLS client/server authentication for use in establishing trust between strangers. TNT is conducted within the scope of an encrypted TLS rehandshake. The client and server can exchange multiple certificate chains during each round of a negotiation. The TNT protocol allows either the client or server to disclose certificates first.

Overcoming TLS Limitations The client and server have equal opportunity to disclose policies to one another to specify their trust requirements. The client and server both send certificate verify messages to one another after disclosing a certificate to establish certificate ownership. Client and server may request multiple certificates from each other.

TNT Implementation A prototype of TNT has been developed for the TrustBuilder architecture. TNT implementation is an extension to the Java PureTLS toolkit developed by Eric Rescorla (see http://www.rftm.com/). Policy language and compliance checker is built using the IBM Trust Establishment system developed at the IBM Haifa Research Lab (RSA Security Conference 2001).

TNT Implementation Architecture PureTLS Client d,e Certificates Policies Services TrustBuilder b,c RMI PureTLS Server IBM Trust Establishment Module a TNT Key ( a ) Remote Certificates / Policies ( b ) Remote Certificates / Local Policies ( c ) Local Certificates / Remote Policies ( d ) Unlocked Local Certificates/ Policies ( e ) Authorization Decision RMI a d TrustBuilder b,c d IBM Trust Establishment Module

Conclusions TNT Trust Negotiation Protocol TNT protocol extends the TLS handshake protocol to support trust negotiation, overcoming limitations in the current TLS handshake for establishing trust between strangers Support for confidential trust negotiation, credential verification, and verification of credential ownership Straightforward to implement by extending existing TLS implementations Provides robust experimental testbed for trust negotiation strategies Potential technology transfer path for trust negotiation

Future Work Interoperable trust negotiation strategies Trust Negotiation Protocol HTTPS-based protocol using web servlet architecture TLS handshake IPsec authentication Client-initiated trust establishment Out-of-band trust negotiation architecture

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.