December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information Technology

December 2006Prof. Reuven Aviv, SSL2 WEB Security with SSL/TLS Introduction – Risks and counter measures Secure Socket Layer (SSL) architectu SSL Record Protocol SSL Handshake Protocol In Closing: What does the SSL Really Protect? Appendix: Usage of SSL and Certificates in Win2K/IIS Why the Web Service is special?

December 2006Prof. Reuven Aviv, SSL3 Web Security risks & counter-measures Corrupt server or browser data – done by Trojans, ActiveX, Applets Corrupt data in transit and session hijacking –Cryptographic checksum, Encryption –web proxy (later lecture) Denial of Service: flooding server, DNS attacks –Network Mitigation procedures Impersonation of users, and programs –signatures

December 2006Prof. Reuven Aviv, SSL4 Approaches to network Security Advantages and Disadvantages?

SECURE SOCKET LAYER (SSL) December 2006Prof. Reuven Aviv, SSL5

December 2006Prof. Reuven Aviv, SSL6 SSL (Secure Socket Layer) & TLS SSL: Netscape, later Microsoft –SSL 3.0 Submitted to IETF IRTF  TLS: Transport Layer Security – essentially SSLv3.1 Free Implementations: SSLRef, OpenSSL SSL support included in Microsoft IIS & IE What methods are used for: Privacy, Integrity, Authentication, Non-Repudiation?

December 2006Prof. Reuven Aviv, SSL7 SSL Protocol Architecture SSL Record Protocol: transmission of blocks of data (records) between applications (e.g. HTTP) What are the purpose of the SSL Handshake & Alert protocols?

SSL Record Protocol December 2006Prof. Reuven Aviv, SSL8

December 2006Prof. Reuven Aviv, SSL9 SSL Record Protocol: Services Encryption/Decryption of payloads (HTTP, …) –conventional encryption algorithms (DES…) Message integrity using MAC How the MAC is constructed? hash of (message + secret) secrets as agreed by a Handshake Protocol

December 2006Prof. Reuven Aviv, SSL10 SSL Record Protocol Operation What’s in the header?

December 2006Prof. Reuven Aviv, SSL11 SSL Record Format What is to be agreed by client/server during handshake?

SSL Handshake Protocol December 2006Prof. Reuven Aviv, SSL12

December 2006Prof. Reuven Aviv, SSL13 What is to be agreed: Cipher Suit Key Exchange algorithm: method to be used to create SSL Pre-Master Secret (1 of 4. e.g. D.H) Specifications of Encryption/Hash algorithms Encryption: from RC4, or 3DES,… –Cipher Type: Stream or Block MAC Algorithm: HMAC-MD5 / HMAC-SHA-1 –IV size, Hash size, …

December 2006Prof. Reuven Aviv, SSL14 SSL: 6 Secrets two keys for encryption ; Two values of Initial Values (for encryption); Two secrets for MAC Procedure for derivation of secrets Pre_Master_Secret --> Master Secret --> Secrets –48 Bytes PMS: one time value 4 methods for deriving PMS Who calculates PMS / Master / Secrets?

December 2006Prof. Reuven Aviv, SSL15 PMS derivation methods [1] RSA Method: Client creates PMS (random) send PMS to server encrypted by Server’s RSA public key –Client needs Server’s Public Key Certificate

December 2006Prof. Reuven Aviv, SSL16 PMS derivation methods [2] Anonymous Diffie Hellman –q,  agreed by two sides –Public keys (Y) are exchanged –PMS (calculated by both parties) = Y X (modq) –No exchange of Authenticating Certificates [3] Fixed Diffie Hellman –Server is authenticated by its D.H. certificate (inc D.H. public key). Rest is Anonymous D.H. Disadvantage relative to RSA method?

December 2006Prof. Reuven Aviv, SSL17 PMS derivation methods [4] Authenticated Diffie Hellman: –Most secure way - both parties are authenticated –D.H. public keys are exchanged by messages – signed by senders’ private RSA or DSS keys –PMS is created by both parties Signing keys (RSA or DSS) keys are presented via Certificates, themselves signed by CAs

December 2006Prof. Reuven Aviv, SSL18 Handshake Protocol: full scenario

December 2006Prof. Reuven Aviv, SSL19 1. Hello Phase

December 2006Prof. Reuven Aviv, SSL20 Hello messages: Establishing Security Capabilities Client sends ClientHello (1) –ProtocolVersion (3.1 for TLS 1.0) –timestamp + random_num1 What are the purpose of these? Session ID What is the purpose of this? Lists of Algorithms & Compression methods supported by client

December 2006Prof. Reuven Aviv, SSL21 Hello messages: Establishing Security Capabilities Server sends ServerHello (2) Protocol Version, Timestamp, random num2 –Session ID: new value (or, if updating, old) –Selected Cipher-Suite, compression method Is the PMS Derivation method determined at this stage?

December 2006Prof. Reuven Aviv, SSL22 2. Server Authentication & Key exchange Certificate (3): one (or more) X.509 certificate Certificate present public key, that will be used for encrypting secrets and/or signing Server client These are optional. Who determines if these Messages are sent?

December 2006Prof. Reuven Aviv, SSL23 Server Key_exchange_Message (4) Sent from the Server to provide its public key –Not needed in RSA [1] method (public key of Server was already sent by Certificate (3)) – not needed in fixed D.H [3] method why? What is the content of this message? The Diffie Hellman public key (Y) Message required in the Anonymous D.H. [2] –Message not signed Why not?

December 2006Prof. Reuven Aviv, SSL24 Server Key_exchange_Message (4) Message required in the Ephemeral D.H [4] –Message signed by what? by RSA or DSS private key What is the signature? encrypted hash of D.H. parameters and the rand. in the Hello messages why? K RSA {hash(Cl.Hello.rand|| Ser.Hello.rand || D.H. parameters)}

December 2006Prof. Reuven Aviv, SSL25 End of Phase 2: Server In all methods except Anonymous D.H. [2] –Server sends Ceritificate_Request (5) requesting Client to provide its Certificate(s) List of acceptable certificates & CAs Server sends ServerDone (6) message What will the client do?

December 2006Prof. Reuven Aviv, SSL26 End of Phase 2: Client Client Checks the acceptability of parameters in ServerHello (selected algorithms & PMS method) Client checks receipt of the required certificates Client checks the validity of received certificates How?

December 2006Prof. Reuven Aviv, SSL27 Phase 3: Client Authentication & Key Exchange What’s in Client_key_Exchange (8)? CertificateVerify (9): a signed hash of previous messages. What is the purpose of this? Client Server

December 2006Prof. Reuven Aviv, SSL28 ClientKeyExchange (8): Required Content depends on method of key generation: RSA [1]: Client sends a random 48-byte PMS, encrypted with the certified Server’s public key Authenticated or Anonymous D.H. [4], [2]: –Client sends its public D.H. key (Y) Fixed D.H. (3): null, (Client’s public D.H. sent in previous message, Certificate (7)) –In all D.H. methods [2], [3], [4] both Client and Server now calculate PMS

December 2006Prof. Reuven Aviv, SSL29 Certificate_Verify (9) Sent by Client – if previously sent a Certificate with signing capabilities –i.e. Not Certificate with D.H. parameters Purpose: Authenticating the client - proving that the client knows its private key What should be in this message? Specific agreed info, signed by the client –Alternative to challenge response

December 2006Prof. Reuven Aviv, SSL30 Certificate_Verify (cont’d) Hash of collected shared knowledge –K Client {hash(Master_Secret || pad2 || hash (handshake_messages||Master_Secret||pad1))} Signed by Client Private key cannot be done by one who stole the Client certificate why?

December 2006Prof. Reuven Aviv, SSL31 4. Finish phase ChangeCipherSpec: –Let’s start using agreed Cipher-Suite Finished: hash of master secret, & other info –Using the agreed upon Cipher Suit

December 2006Prof. Reuven Aviv, SSL32 In closing: What does SSL really protect? It protects data in transit, mitigates attacks like MIM, Replay, and in general makes other attacks difficult to perform It does not solve the hard problems of E- Commerce: –DOS Attacks –Application Layer Attacks on the client and servers. (BO) By which credit cards may be stolen

December 2006Prof. Reuven Aviv, SSL33 Appendix Configuring SSL & Certificates in Win2K Internet Information Server (IIS)

December 2006Prof. Reuven Aviv, SSL34 Selecting the Web Server to be configured Tool: mmc

December 2006Prof. Reuven Aviv, SSL35 Web Server Properties: Certificate (SSL)

December 2006Prof. Reuven Aviv, SSL36 Web Server certificate

December 2006Prof. Reuven Aviv, SSL37 Configuring “Secure Communication” (SSL)

December 2006Prof. Reuven Aviv, SSL38 Web Server: Client Authentication Methods

December 2006Prof. Reuven Aviv, SSL39 IIS: Client (Browser) Authentication Anonymous: No authentication Basic: domain password sent in the clear Digest: challenge response –Challenge (from IIS): Workstation ID, domain/realm, time –Response: Thumbprint (hash with password) –Server needs to know password Integrated Windows Authentication –Browser obtains and sends Kerberos ticket Certificate based authentication

December 2006Prof. Reuven Aviv, SSL40 Web Server Certificate Trust List

December 2006Prof. Reuven Aviv, SSL41 IIS Access Control Mapping Client Certificates to accounts –Define subjects’ rights of access to www pages

December 2006Prof. Reuven Aviv, SSL42 Controlling Authentication for certain pages Selecting the page

December 2006Prof. Reuven Aviv, SSL43 Authentication methods for this page

December 2006Prof. Reuven Aviv, SSL44 Accessing the page