TLS 1.2 and NIST SP 800-56A Tim Polk November 10, 2006.

Slides:

Advertisements

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.

Advertisements

Cryptography and Network Security Chapter 16

Web security: SSL and TLS

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Cryptography and Network Security

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Web Security (SSL / TLS)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Cryptography and Network Security Chapter 17

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Integrating Diffie-Hellman Key Exchange into the Digital Signature Algorithm IEEE Communications Letters, March 2004 Lein Harn, Manish Metha and Wen- Jung.

Chapter 8 Web Security.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

CN8814: Network Security1 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) TLS (SSL-VPN)

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

Network Security Essentials Chapter 5

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Web Security : Secure Socket Layer Secure Electronic Transaction.

Cryptography and Network Security (SSL)

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

Chapter 21 Public-Key Cryptography and Message Authentication.

Cryptographic Hash Functions and Protocol Analysis

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

PKCS #5: Password-Based Cryptography Standard

11 Authentication Algorithms Discussions CCSDS Security WG Winter 2007 Colorado Springs, Colorado USA Howard Weiss NASA/JPL/SPARTA

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Transport Layer Security (TLS) Extensions: Extension Definitions draft-ietf-tls-rfc4366-bis-00.

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

PKCS #5 v2.0: Password-Based Cryptography Standard

@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

Cryptography and Network Security

Challenge-Response New Authentication Scheme

Cryptography and Network Security

SSL (Secure Socket Layer)

The Secure Sockets Layer (SSL) Protocol

27 Febraury 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Security Sub-committee Status Report.

Cryptography and Network Security

Presentation transcript:

TLS 1.2 and NIST SP A Tim Polk November 10, 2006

Acknowledgements The bulk of the analysis was performed by Ray Perlner at NIST Reviewed -01 draft

Background NIST publishes cryptographic standards and specifications –Agencies protecting unclassified data with cryptography need to use Approved algorithms Based on FIPS 140, FISMA, etc.. –Exception: where no Approved algorithms exist, agencies can select any algorithm CMVP may impose additional constraints

FIPS 140 Implementation Guidance, 12/2005 “The following protocols are acceptable for use in the FIPS mode to establish keys to be used for encryption and decryption:” –SSL v3.1 –TLS and EAP-TLS –IPSEC –SSH v2

NIST A, Key Establishment Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography –Published March, 2006 Specifies key derivation function(s) –Basically, one kdf with two input formatting variants (ASN.1 and concatenated values)

800-56A KDF Overview.. Generate keying material with a hash function from the shared secret and… –Cryptographic algorithm(s) identifier –Identifiers for communicating parties –Nonces (required if keys are static) –Optional information from both parties The derived key material is bound to the complete communications context

Silence Was Golden Now that we specify a kdf… the FIPS 140 IG will be changing Current proposal: –Accept protocols with A KDF No such protocols exist –Review protocols that use non-conforming KDFs, accept with time limits TLS is proposed for acceptance through the end of 2010

Now That We’re Here… This is clearly a bad situation –The WG chair reviewed the A KDF and determined it isn’t a good fit for TLS –The AD requested that NIST reconsider the problem Could NIST accept the TLS kdf without an expiration date?

Analysis NIST could accept TLS 1.2 without an expiration date, with a few minor fixes Finished message binds the context to the communications channel effectively –Niche cases exist where these bindings might not be established

Certificate Hash Certificate hash needs to be mandatory –If the hash is not included with the client certificate URL, the finished message will not factor in the name associated with the key. Hash needs agility –The protocol mandates SHA-1, which is fine as a default, but there is no mechanism to specify a stronger algorithm.

Upgrade Security Guidance to Requirements TLS recommends mechanisms to protect against –Timing attacks ( , ) –Bliechenbacher attack ( ) Can TLS 1.2 upgrade these to MUST? Consider extending guidance for blinding to non-RSA key exchange algorithms?

Clarifications in Error Handling Need to clarify when alerts MUST be sent versus MAY be sent –Responses on list have been helpful; would like to see this information in the spec

Incremental Changes IVs –MUST use one of the specified IV generation techniques Certificate Handling, HMAC truncation –Should require explicit agreement DH –Recommend maintaining leading zeroes

Anonymous Diffie-Hellman Frankly, it makes us nervous. List traffic does not support expunging Anonymous DH –Need to ensure that Anonymous DH is only used with user agreement –Bodo Moeller has suggested text: archive/web/tls/current/msg00900.html

Further Information NIST A (see 5.8) – 0-56A/sp800-56A_May-3-06.pdfhttp://csrc.nist.gov/publications/nistpubs/ A/sp800-56A_May-3-06.pdf Personal draft with KDFs – dang-nistkdf-01.txthttp:// dang-nistkdf-01.txt

Questions?