Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.

Slides:



Advertisements
Similar presentations
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Advertisements

Web security: SSL and TLS
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Cryptography and Network Security
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
SSL: Secure Sockets Layer
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Cryptography and Network Security Chapter 17
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, University of Palestine Applied and Urban Engineering College Information Security.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Transport Level Security
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 3: Securing TCP.
SARVAJANIK COLLEGE OF ENGINEERING & TECHNOLOGY. Secure Sockets Layer (SSL) Protocol Presented By Shivangi Modi Presented By Shivangi ModiCo-M(Shift-1)En.No
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Secure Sockets Layer (SSL) Protocol by Steven Giovenco.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.
Secure Socket Layer Protocol Dr. John P. Abraham Professor, UTRGV.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Cryptography and Network Security
Secure Sockets Layer (SSL)
CSCE 715: Network Systems Security
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
Cryptography and Network Security
SSL (Secure Socket Layer)
Lecture 8: Transport Level Security – SSL/TLS
Security at the Transport Layer: SSL and TLS
SSL Protocol Figures used in the presentation
The Secure Sockets Layer (SSL) Protocol
Transport Layer Security (TLS)
Cryptography and Network Security
Presentation transcript:

Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard

Course Admin HW/Lab 1 – Graded; scores posted; to be returned today – Solution was provided ( ed) HW/Lab 2 posted – Covers Lecture 5 (network mapping and attacks) – Due Oct 25 Questions? 24/30/2015Lecture 7 - SSL/TLS

Course Admin Mid-Term Exam – Oct 23 – In-class, class timing (2 hrs?) – Covers Lecture 1-7 – Review Oct 16 4/30/2015Lecture 7 - SSL/TLS3

Outline SSL/TLS – Protocol – Messages and Message Formats – Secure Data Exchange Exposition borrowed from Stephen Thomas (a book on SSL) 4/30/2015Lecture 7 - SSL/TLS4

5 SSL: Secure Sockets Layer Widely deployed security protocol –Supported by almost all browsers and web servers –https –Tens of billions $ spent per year over SSL Originally designed by Netscape in 1993 Number of variations: –TLS: transport layer security, RFC 2246 Provides –Confidentiality –Integrity –Authentication Original goals: –Had web e-commerce transactions in mind –Encryption (especially credit- card numbers) –Web-server authentication –Optional client authentication –Minimum hassle in doing business with new merchant Available to all TCP applications –Not just web –e.g., (IMAP, SMTP), FTP 4/30/2015Lecture 7 - SSL/TLS

SSL in Action Let us see some examples… –Gmail (uses SSL) –Wells fargo (uses SSL) –Blazernet (uses SSL) –Uab (no SSL) HTTPS: HTTP over SSL (or TLS) – Typically on port 443 (regular http on port 80) 4/30/2015Lecture 7 - SSL/TLS6

77 Which Layer to Add Security to? Relative Location of Security Facilities in the TCP/IP Protocol Stack 4/30/2015Lecture 7 - SSL/TLS

88 SSL and TLS SSL 2.0 was developed and patented by Netscape in TLS is the non-proprietary Internet standard development (RFC 2246, 1999) TLS 1.0 was an upgrade of SSL 3.0, so TLS 1.0 is sometimes referred to as SSL 3.1 Latest standard is TLS 1.2, sometimes referred to as SSL 3.3 4/30/2015Lecture 7 - SSL/TLS

99 SSL Main Components 1.Handshake 1.Negotiation of protocol algorithms, versions and parameters 2.Authentication of communicating parties 3.Agreement of session keys 2.Secure Session Communication 4/30/2015Lecture 7 - SSL/TLS

10 1 or more SSL Record Layer units 443 4/30/2015Lecture 7 - SSL/TLS

11 Establishing Secure Communications First, establish TCP connection from client to port 443 on server Secure channel established – proceed to use

12 4/30/2015Lecture 7 - SSL/TLS

13 4/30/2015Lecture 7 - SSL/TLS

14 4/30/2015Lecture 7 - SSL/TLS

15 4/30/2015Lecture 7 - SSL/TLS

16 4/30/2015Lecture 7 - SSL/TLS

17 4/30/2015Lecture 7 - SSL/TLS

18 Secure channel established

19 ClientHello Current versions: SSL 3.3, TLS 1.2 Also used as a nonce to repel replay attacks 4/30/2015Lecture 7 - SSL/TLS

20 ServerHello Server selects from menu submitted by client Server decides 4/30/2015Lecture 7 - SSL/TLS

21 ServerKeyExchange Server sends its public key certificate ServerHelloDone Server has completed initial negotiation. ClientKeyExchange Client generates “premaster secret,” and sends it encrypted with the server’s public key. Server decrypts the premaster secret using the corresponding private key. Both sides can compute necessary keys. Change Cipher Spec Preliminary negotiations are complete and client tells server “I’m going to begin using the agreed cipher suite.”

22 ChangeCipherSpec “Since the transition to secured communication is critical, and both sides have to get it exactly right, the SSL specification is very precise in describing the process.” “The SSL specification also recognizes that some of the information (in particular, the key material) will be different for each direction of communication. In other words, one set of keys will secure data the client sends to the server, and a different set of keys will secure data the server sends to the client.” “For a given system, whether it is a client or a server, SSL defines a write state and a read state. The write state defines the security information for data that the system sends, and the read state defines the security information for data that the system receives.” 4/30/2015Lecture 7 - SSL/TLS

23 ChangeCipher Spec

24

25 Finished “Immediately after sending their ChangeCipherSpec messages, each system sends a Finished message. The Finished messages allow both systems to verify that negotiation has been successful and that security has not been compromised. Two aspects of the Finished message contribute to this security.” “First … the Finished message itself is subject to the negotiated cipher suite … If the receiving party cannot successfully decrypt and verify the message, then clearly something has gone awry with the security negotiation.” “The contents of the Finished message also serves to protect the security of the SSL negotiation. Each Finished message contains a cryptographic keyed hash (MAC) of important information about the just-finished negotiation … This protects against an attacker who manages to insert fictitious messages into, or remove legitimate messages from, the communication.” 4/30/2015Lecture 7 - SSL/TLS

26 Authenticating the Server By now in this course we’re familiar with the need to authenticate the server’s identity. In the usual situation in which SSL is deployed (ordering from Amazon.com) we do not need to authenticate the client – SSL has an option to do so, but we will skip this. No surprise: we will insist on the server sending the client an X.509 certificate – browser will automatically check validity, using its library of CA public keys. 4/30/2015Lecture 7 - SSL/TLS

27 Authenticating the Server’s Identity – continued New: replaces ServerKeyExchange 4/30/2015Lecture 7 - SSL/TLS

28 ClientKeyExchange Encryption of the “pre-master secret” with the public key sent in the Certificate message means that the server must actually possess the corresponding private key to decrypt the pre- master secret. Both sides can compute necessary keys. Darth Sends amazon.com certificate

29 Message Formats Transport Requirements Record Layer ChangeCipherSpec Protocol Alert Protocol Severity Level Alert Description Handshake Protocol ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange- include RSA only Finished Securing Messages Message Authentication Code Encryption Creating Cryptographic Keys

30 1 or more SSL Record Layer units 443 4/30/2015Lecture 7 - SSL/TLS

31 Transport Requirements 4/30/2015Lecture 7 - SSL/TLS

32 Record Layer 4/30/2015Lecture 7 - SSL/TLS

33

34 Figure 5.3 SSL Record Protocol Operations 4/30/2015Lecture 7 - SSL/TLS

35 HTTP 4/30/2015Lecture 7 - SSL/TLS

36 ChangeCipherSpec Protocol Record Layer Header 4/30/2015Lecture 7 - SSL/TLS

37 Alert Protocol The Alert Protocol signals an error. Some error messages are cautionary, others fatal. TLS removes some of the error categories in SSL and adds some new ones. 4/30/2015Lecture 7 - SSL/TLS

38 Alert Protocol Description

39 Handshake Protocol Purposes: 1. negotiate cipher suite to be used ClientHello message ServerHello message 2. authenticate I/D of server Certificate message ClientKeyExchange message 3. generate collection of shared secret information Premaster secret (ClientKeyExchange) Master secret Keying material MAC key Encryption key IV

40 Record Layer Header protocol = 22 In practice they are not! Format of Handshake message 4/30/2015Lecture 7 - SSL/TLS

41 4/30/2015Lecture 7 - SSL/TLS

42 4/30/2015Lecture 7 - SSL/TLS

43 ClientHello Record Layer Header protocol = 22

44 There are more of these in SSL; TLS removes some and adds others.

45 Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 92 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 88 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Oct 10, :54: random_bytes: 751AB9DCEBF3014D799038D27E24E6409C8397FE6E1A Session ID Length: 0 Cipher Suites Length: 24 Cipher Suites (12 suites) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Client can handle up to TLS 1.0 (SSL 3.1) Remarkable range of capabilities in browser!

46 4/30/2015Lecture 7 - SSL/TLS

47 ServerHello 4/30/2015Lecture 7 - SSL/TLS

48 Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Oct 10, :00: random_bytes: C7B2A2F58454A2C2A0DE667781E C86C8FF724069E... Session ID Length: 32 Session ID: 77987B601B5544C111C3FCB1DF96F7A8970D1EFD39630F3F... Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Compression Method: null (0) Server to client:

49 Certificate

50 Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 2468 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 2464 Certificates Length: 2461 Certificates (2461 bytes) Certificate Length: 1271 Certificate (id-at-commonName= Certificate Length: 1184 Certificate (id-at-commonName=VeriSign Class 3 Secure Server CA Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 Server to client:

51 Certificate #1: Issued to: Issuer: VeriSign Class 3 Secure Server CA Certificate #2: Issued to: VeriSign Class 3 Secure Server CA Issuer: VeriSign Class 3 Public Primary Certification Authority Example “Certificate” message from Amazon.com contains a chain of public key certificates: 4/30/2015Lecture 7 - SSL/TLS

52 ServerHelloDone 4/30/2015Lecture 7 - SSL/TLS

53 Both sides know algorithms, client generates “pre-master secret” and can use it to compute all necessary keys (session key, MAC key). Client encrypts pre-master secret with server public key and sends. Server has received encrypted pre-master secret, decrypts with its private key and uses pre-master secret to compute all necessary keys. Both sides know all keys.

54 ClientKeyExchange Chronologically, ChangeCipherSpec comes here, but it’s not part of the Handshake Protocol. 4/30/2015Lecture 7 - SSL/TLS

55 Finished 4/30/2015Lecture 7 - SSL/TLS

56 Secure Socket Layer TLSv1 Record Layer: Handshake Protocol: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 134 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 130 TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.0 (0x0301) Length: 1 Change Cipher Spec Message TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 32 Handshake Protocol: Encrypted Handshake Message The 3 messages from the client: 4/30/2015Lecture 7 - SSL/TLS

57 4/30/2015Lecture 7 - SSL/TLS

58 Creating Cryptographic Parameters Where did the various keys come from? Calculation of the Master Secret: 48 bytes

We need this secret information

Creation of the secret information (key material) TLS does this somewhat differently

61

62 Both sides know algorithms, client generates “pre-master secret” and can use it to compute all necessary keys (session key, IV, MAC key). Client encrypts pre-master secret with server public key and sends. Server receives encrypted pre-master secret, decrypts with its private key and uses pre-master secret to compute all necessary keys. Then both sides have computed identical keys. Review: repeat of a previous slide : We need to have an agreed test message.

63 Return to Finished “Finished” message carries the agreed test message, MD5 and SHA hashes of the previous handshake messages. Here’s the SHA: TLS uses a slightly different hash calculation. Inner and outer hash remind us of HMAC Keyed, not signed

64 Finished 4/30/2015Lecture 7 - SSL/TLS

65 Securing Messages (Application) Handshake finally over! Ready to do useful work.

66 The inner and outer hash used here in SSL reminds us of HMAC (RFC 2104). This is slightly different, but TLS uses HMAC exactly. 4/30/2015Lecture 7 - SSL/TLS

67 Session Resumption Full handshake is expensive: CPU time and number of RTTs If the client and server have already communicated once, they can skip handshake and proceed directly to data transfer –For a given session, client and server store session_id, master_secret, negotiated ciphers Client sends session_id in ClientHello Server then agrees to resume in ServerHello –New key_block computed from master_secret and client and server random numbers

Further Reading SSL and TLS Essentials, Stephen Thomas Stallings Chapter 6 4/30/2015Lecture 7 - SSL/TLS68

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.