CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

Web Security Web is now widely used by business, government, and individuals But Internet and Web are vulnerable Have a variety of threats integrity confidentiality denial of service authentication Need to add security mechanisms 10/19/2010

Security Socket Layer (SSL) Security service at transport layer Originally developed by Netscape SSLv3 was designed with public input Subsequently became Internet standard known as Transport Layer Security (TLS) Use TCP to provide reliable end-to-end service 10/19/2010

SSL Services SSL provides SSL does not prevent Client-server authentication (public-key cryptography) Data traffic confidentiality Message authentication and integrity check SSL does not prevent Traffic analysis TCP implementation oriented attacks 10/19/2010

SSL State Information SSL session is stateful  SSL protocol must initialize and maintain session state information on either side of the session SSL session can be used for several connections  connection state information 10/19/2010

SSL Session State Information Session ID: chosen by the server to identify an active or resumable session state Peer certificate: certificate for peer entity (X.509 v. 3) Compression method: algorithm to compress data before encryption Cipher spec: specification of data encryption and MAC algorithms Master secret: 48-byte secret shared between client and server Is resumable: flag that indicates whether the session can be used to initiate new connections 10/19/2010

SSL Connection State Information Server and client random: byte sequences that are chosen by server and client for each connection Server write MAC secret: secret used for MAC on data written by server Client write MAC secret: secret used for MAC on data written by client Server write key: key used for data encryption by server and decryption by client Client write key: key used for encryption by client and decryption by server Initialization vector: for CBC block ciphers Sequence number: for both transmitted and received messages, maintained by each party 10/19/2010

SSL Protocol Architecture 10/19/2010

SSL Protocol SSL has two layers of protocols SSL Record Protocol Layered on top of a connection-oriented and reliable transport layer service Provides message origin authentication, data confidentiality, and data integrity SSL sub-protocols Layered on top of the SSL Record Protocol Provides support for SSL session and connection establishment 10/19/2010

SSL Record Protocol Receives data from higher layer protocols Provide two services confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption (optional) message integrity using a MAC with shared secret key similar to HMAC but with different padding 10/19/2010

SSL Record Protocol Operation 10/19/2010

SSL Record Format 10/19/2010

SSL Change Cipher Spec Protocol A single message with only one byte “1” Cause pending state to become current, hence updating the cipher suite in use 10/19/2010

SSL Alert Protocol Use two-byte message to convey SSL-related alerts to peer entity First byte is severity level warning(1) or fatal(2) Second byte is specific alert Always fatal: unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter Other alerts: close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown Compressed and encrypted like all SSL data 10/19/2010

SSL Handshake Protocol Allow server and client to authenticate each other negotiate encryption and MAC algorithms negotiate cryptographic keys to be used Comprise a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish 10/19/2010

SSL Handshake Messages 10/19/2010

SSL Handshake C  S: CLIENTHELLO S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH S  C: CHANGECIPHERSPEC 10/19/2010

SSL Handshake CLIENTHELLO message is sent by the client C  S: CLIENTHELLO CLIENTHELLO message is sent by the client When the client wants to establish a TCP connection to the server, When a HELLOREQUEST message is received, or When client wants to renegotiate security parameters of an existing connection Message content: Number of highest SSL understood by the client Client’s random structure (32-bit timestamp and 28-byte pseudorandom number) Session ID client wishes to use (ID is empty for new session) List of cipher suites the client supports List of compression methods the client supports 10/19/2010

SSL Handshake Server processes CLIENTHELLO message S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE Server processes CLIENTHELLO message Server responds to client with SERVERHELLO message: Server version number: lower version of that suggested by the client and the highest supported by the server Server’s random structure: 32-bit timestamp and 28-byte pseudorandom number Session ID: corresponding to this connection Cipher suite: selected by the server from client’s list Compression method: selected by the server from client’s list 10/19/2010

SSL Handshake } Optional messages: CERTIFICATE: S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE } Optional messages: CERTIFICATE: If the server is using certificate-based authentication May contain RSA public key  good for key exchange SERVERKEYEXCHANGE: If the client does not have certificate, has certificate that can only be used to verify digital signatures, or uses FORTEZZA token-based key exchange CERTIFICATEREQUEST: Server may request personal certificate to authenticate a client 10/19/2010

SSL Handshake Client processing: Verifies site certification C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH Client processing: Verifies site certification Valid site certification if the server’s name matches the host part of the URL the client wants to access Checks security parameters supplied by the SERVERHELLO 10/19/2010

SSL Handshake Client messages: CERTIFICATE C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH Client messages: CERTIFICATE If server requested a client authentication, client sends CLIENTKEYEXCHANGE Format depends on the key exchange algorithm selected by the server RSA: 48-byte premaster secret encrypted by the server’s public key Diffie-Hellman: public parameters between server and client in SERVERKEYEXCHANGE and CLIENTKEYEXCHANGE messages FORTEZZA: token-based key exchange based on public and private parameters Premaster key is transformed into a 48-byte master secret, stored in the session state 10/19/2010

SSL Handshake Client messages: CERTIFICATEVERIFY C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH Client messages: CERTIFICATEVERIFY If client authentication is required Provides explicit verification of the user’s identity (personal certificate) CHANGECIPHERSPEC Completes key exchange and cipher specification FINISH Encrypted by the newly negotiated session key Verifies that the keys are properly installed in both sites 10/19/2010

SSL Handshake S  C: CHANGECIPHERSPEC FINISH Server finishes handshake by sending CHANGECIPHERSPEC and FINISH messages After SSL handshake completes a secure connection is established to send application data encapsulated in SSL Record Protocol 10/19/2010

SSL Handshake to Resume Session C  S: CLIENTHELLO S  C: SERVERHELLO CHANGECIPHERSPEC FINISH C  S: CHANGECIPHERSPEC 10/19/2010

Transport Layer Security (TLS) Specified as IETF standard RFC 2246 Similar to SSLv3 but with minor differences in record format version number use HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding 10/19/2010

SSL/TLS vs IPsec SSL/TLS and IPsec are very similar in that they both require negotiation of security parameters and both provide authentication and confidentiality However there are still differences SSL can be used to secure traffic going over TCP, while IPsec can be used to secure traffic going over IP, including UDP SSL requires modifying applications by replacing socket calls with SSL socket calls, but does not require modifying OS; IPsec can be added without modifying applications (although can be modified optionally to provide tailored service), but needs to change the IP stack in OS 10/19/2010

SSL/TLS vs IPsec ISAKMP requires both sides to authenticate each other, which is optional in SSL In some cases SSL can be tunneled through a proxy, while IPsec does not allow tunneling through intermediaries IPsec doesn’t work with a host behind a router performing network address translation (NAT); SSL has no problem with NAT 10/19/2010

Next Class Midterm exam! Oct. 17 in class 75 minutes About 10 questions Account for 20% toward final grade Review textbook, lecture slides and related papers discussed in class 10/19/2010