Transport Layer Security (TLS) Bill Burr November 2, 2001.

Slides:

Advertisements

Similar presentations

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.

Advertisements

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

Cryptography and Network Security Chapter 16

Web security: SSL and TLS

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Lecture 6: Web security: SSL

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Cryptography and Network Security

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

1 Information System Security AABFS-Jordan Summer 2006 Web security: SSL and TLS Prepared by : Mohammed tarawneh Presented to: Dr. Lo’ai Tawalebeh.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Web Security (SSL / TLS)

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Cryptography and Network Security Chapter 17

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Chapter 8 Web Security.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Transport-level and Web Security (SSL / TLS, SSH)

CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)

Secure Socket Layer (SSL)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Security Essentials Chapter 5

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

Cryptography and Network Security (SSL)

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.

1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.

PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH

Cryptography and Network Security

CSE 4095 Transport Layer Security TLS

Virtual Private Networks (VPN)

Cryptography and Network Security

SSL (Secure Socket Layer)

Security at the Transport Layer: SSL and TLS

CSCE 815 Network Security Lecture 16

The Secure Sockets Layer (SSL) Protocol

Transport Layer Security (TLS)

Presentation transcript:

Transport Layer Security (TLS) Bill Burr November 2, 2001

Transport Layer Security (TLS)  Version 3.1 of Secure Socket Layer (SSL) –“standardized” by IETF RFC2246 –Several earlier versions V2 not very secure  End-to-end between a client and server –Sits on top of TCP –Requires reliable connection  Most important Internet crypto protocol? –Secure web pages – and LDAP access control

TLS Example: Client Authent. ClientServer Client Hello supported ciphers client_random compression Server Hello TLS_RSA_WITH_3DES... Server_random compression session_ID Certificate Server RSA Certificate Certificate Request certiricte_types certificate_authorities Hello Done Optional messages for client authentication have gold background

TLS Example: Client Authent. ClientServer Client Certificate client’s PK certificate Client Key Exchange E SK (pre_master_secret) Certificate Verify Signature (prev. messages) Change Cipher Spec Handshake Finished verify_data Change Cipher Spec Handshake Finished verify_data

3DES Cipher Suites  TLS_RSA_WITH_3DES_EDE_CBC_SHA  TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  TLS_RSA_WITH_NULL_SHA

AES Cipher Suites  TLS_RSA_WITH_AES_128_CBC_SHA  TLS_DH_DSS_WITH_AES_128_CBC_SHA  TLS_DH_RSA_WITH_AES_128_CBC_SHA  TLS_DHE_DSS_WITH_AES_128_CBC_SHA  TLS_DHE_RSA_WITH_AES_128_CBC_SHA  TLS_RSA_WITH_AES_256_CBC_SHA  TLS_DH_DSS_WITH_AES_256_CBC_SHA  TLS_DH_RSA_WITH_AES_256_CBC_SHA  TLS_DHE_DSS_WITH_AES_256_CBC_SHA  TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Pseudorandom Function (PFR)  Feeds a secret, a label, and a seed into an iterated HMAC to generate a pseudorandom stream  Uses SHA1 & MD5 –Intended to be secure if either is secure The secret is split into halves, and one half is fed into the SHA1 HMAC and the other into the MD5 HMAC and the outputs are exclusive ORED. If one hash is bad enough, entropy would be lost.

Pseudorandom Function (PRF)

 Used with pre_master_secret, client-random server_random & label “master_secret” to generate 48-byte master-secret  Used with master_secret, server_random, client_random & label “key expansion” to generate key block  Also used to generate the verify_data key confirmation parameter of the Handshake Finished message

Proposed Client Guidance  Only do TLS (version 3.1) –But client is normally expected to be able to do highest version specified in Client Hello, plus every previous version!  Server can choose any suite the client includes in Client Hello message  Offer only 3DES or AES Cipher suites –Never include 40 or 56-bit suites –Encryption not required but anonymous cipher suites not allowed  1024-bit RSA/DSA client certificates are OK until 2015

Proposed Server Guidance  Implement only TLS, not SSL –Clients that can’t do TLS are out of luck  Use only 3DES or AES Cipher Suites  Server key management certificate subject key size needs to match confidentiality requirements –If data must be kept secret after 2015, then RSA/DSA encryption keys larger than 1024 are needed.

For Maximum Security  RSA or DSA authentication with ephemeral Diffie-Hellman key exchange –E.g., TLS_DHE_RSA_WITH_AES_128_CBC_SHA –Perfect forward secrecy –Potentially large DH keys for long term confidentiality, with whatever authentication key size is currently needed  But, –How many products do ephemeral Diffie-Hellman? –Performance price

Issues  Do implementations check server identity?  Use of same RSA server key for authentication and key management  Is payload SHA-1 HMAC strong enough for 112, 128 & 256-bit encryption?  Is 96-bit verify-data key confirmation strong enough for 112, 128 & 256-bit encryption?  Is the PRF strong enough for 112, 128 & 256-bit encryption? –Does MD5 HMAC poison the well?  “Non-standard” signature formts  Diffie-Hellman doesn’t follow a NIST scheme

Questions and Discussion