Web Security Network Systems Security

Slides:



Advertisements
Similar presentations
Cryptography and Network Security Chapter 16
Advertisements

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Lecture 6: Web security: SSL
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Internet Security CSCE 813 Transport Layer Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Cryptography and Network Security Chapter 17
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, University of Palestine Applied and Urban Engineering College Information Security.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Security Essentials Chapter 5
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Cryptography and Network Security (SSL)
SARVAJANIK COLLEGE OF ENGINEERING & TECHNOLOGY. Secure Sockets Layer (SSL) Protocol Presented By Shivangi Modi Presented By Shivangi ModiCo-M(Shift-1)En.No
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Secure Sockets Layer (SSL) Protocol by Steven Giovenco.
Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.
Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.
Network and Internet Security Prepared by Dr. Lamiaa Elshenawy
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
Executive Director and Endowed Chair
Cryptography and Network Security
CSCE 715: Network Systems Security
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
Cryptography and Network Security
Cryptography and Network Security Chapter 16
Cryptography and Network Security
Web Security (TRANSPORT-LEVEL SECURITY)
SSL (Secure Socket Layer)
Chapter 7 WEB Security.
Web Security (TRANSPORT-LEVEL SECURITY)
Security at the Transport Layer: SSL and TLS
CSCE 815 Network Security Lecture 16
Cryptography and Network Security Chapter 16
Chapter 7 WEB Security.
Cryptography and Network Security
Presentation transcript:

Web Security Network Systems Security Mort Anvari

Web Security Web is now widely used by business, government, and individuals But Internet and Web are vulnerable Have a variety of threats integrity confidentiality denial of service authentication Need to add security mechanisms 10/19/2004

TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Each layer interacts with neighboring layers above and below Each layer can be defined independently Complexity of the networking is hidden from the application Transport Layer Network Layer Data Link Layer 10/19/2004

Security -- At What Level? Secure traffic at various levels in the network Where to implement security? -- Depends on the security requirements of the application and the user Basic services need to be implemented: Key management Confidentiality Nonrepudation Integrity/authentication Authorization 10/19/2004

TCP/IP Protocol Stack Application Layer Transport Layer Provides services to the application layer Services: Connection-oriented or connectionless transport Reliable or unreliable transport Security Transport Layer Internetwork Layer Network Access Layer 10/19/2004

Transport Layer Security Advantages: Does not require enhancement to each application Disadvantages: Obtaining user context gets complicated Protocol specific --> need to duplicated for each transport protocol Need to maintain context for connection (not currently implemented for UDP) 10/19/2004

Transport Layer Security Protocols Connectionless and connection-oriented transport layer service: Security Protocol 4 (SP4) – NSA, NIST Transport Layer Security (TLSP) – ISO Connection-oriented transport layer service: Encrypted Session Manager (ESM) – AT&T Bell Labs. Secure Socket Layer (SSL) – Netscape Communications Transport Layer Security (TLS) – IETF TLS WG Most popular transport layer security protocols 10/19/2004

SSL SSL versions: 1.0: serious security flaws – never released to public 2.0: some weaknesses (man-in-the-middle attack) – in Netscape Navigator 1.0-2.x 3.0: no serious security flaws – in Netscape Navigator 3.0 and higher, MS Explorer 3.0 and higher 10/19/2004

SSL Intermediate security layer between the transport layer and the application layer Based on connection-oriented and reliable service (e.g., TCP) Able to provide security services for any TCP-based application protocol, e.g., HTTP,FTP, TELNET, POP3, etc. Application independent 10/19/2004

SSL Services SSL provides SSL does not provide Client- server authentication (public-key cryptography) Data traffic confidentiality Message authentication and integrity check SSL does not provide Traffic analysis TCP implementation oriented attacks 10/19/2004

SSL State Information SSL session is stateful  SSL protocol must initialize and maintain session state information on either side of the session SSL session can be used for several connections  connection state information 10/19/2004

SSL Session State Information Elements Session ID: chosen by the server to identify an active or resumable session state Peer certificate: certificate for peer entity (X.509 v. 3) Compression method: algorithm to compress data before encryption Cipher spec: specification of data encryption and Message Authentication Code (MAC) algorithms Master secret: 48-byte secret shared between client and server Is resumable: flag that indicates whether the session can be used to initiate new connections 10/19/2004

SSL Connection State Information Elements Server and client random: byte sequences that are chosen by server and client for each connection Server write MAC secret: secret used for MAC on data written by server Client write MAC secret: secret used for MAC on data written by client Server write key: key used for data encryption by server and decryption by client Client write key: key used for encryption by client and decryption by server Initialization vector: for CBC block ciphers Sequence number: for both transmitted and received messages, maintained by each party 10/19/2004

SSL Protocol Architecture 10/19/2004

SSL Protocol Components: SSL Record Protocol SSL sub-protocols Layered on top of a connection-oriented and reliable transport layer service Provides message origin authentication, data confidentiality, and data integrity SSL sub-protocols Layered on top of the SSL Record Protocol Provides support for SSL session and connection establishment 10/19/2004

SSL Record Protocol Receives data from higher layer SSL sub-protocols Addresses Data fragmentation Compression Authentication Encryption 10/19/2004

SSL Record Protocol confidentiality message integrity using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption (optional) message integrity using a MAC with shared secret key similar to HMAC but with different padding 10/19/2004

SSL Record Protocol Operation 10/19/2004

SSL Sub-protocols Alert Protocol Used to transmit alerts via SSL Record Protocol Alert message: (alert level, alert description) Handshake Protocol Used to mutually authenticate client and server and exchange session key ChangeCipherSpec Protocol Used to change cipher specifications Can be changed at the end of the handshake or later Application Protocol Used to directly pass application data to the SSL Record Protocol 10/19/2004

SSL Alert Protocol Use two-byte message to convey SSL-related alerts to peer entity First byte is severity level warning(1) or fatal(2) Second byte is specific alert Always fatal: unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter Other alerts: close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown Compressed and encrypted like all SSL data 10/19/2004

SSL Handshake Protocol Allow server and client to authenticate each other negotiate encryption and MAC algorithms negotiate cryptographic keys to be used Comprise a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish 10/19/2004

SSL Handshake Messages 10/19/2004

SSL Handshake C  S: CLIENTHELLO S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH S  C: CHANGECIPHERSPEC 10/19/2004

SSL Handshake CLIENTHELLO message is sent by the client C  S: CLIENTHELLO CLIENTHELLO message is sent by the client When the client wants to establish a TCP connection to the server, When a HELLOREQUEST message is received, or When client wants to renegotiate security parameters of an existing connection Message content: Number of highest SSL understood by the client Client’s random structure (32-bit timestamp and 28-byte pseudorandom number) Session ID client wishes to use (ID is empty for existing sessions) List of cipher suits the client supports List of compression methods the client supports 10/19/2004

SSL Handshake Server processes CLIENTHELLO message S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE SSL Handshake Server processes CLIENTHELLO message Server Respond to client with SERVERHELLO message: Server version number: lower version of that suggested by the client and the highest supported by the server Server’s random structure: 32-bit timestamp and 28-byte pseudorandom number Session ID: corresponding to this connection Cipher suite: selected by the server for client’s list Compression method: selected by the server from client’s list 10/19/2004

} SSL Handshake Optional messages: CERTIFICATE: S  C: SERVERHELLO [CERTIFICATE] [SERVERKEYEXCHANGE] [CERTIFICATEREQUEST] SERVERHELLODONE } SSL Handshake Optional messages: CERTIFICATE: If the server is using certificate-based authentication May contain RSA public key  good for key exchange SERVERKEYEXCHANGE: If the client does not have certificate, has certificate that can only be used to verify digital signatures, or uses FORTEZZA token-based key exchange CERTIFICATEREQUEST: Server may request personal certificate to authenticate a client 10/19/2004

SSL Handshake Client processing: Verifies site certification C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH SSL Handshake Client processing: Verifies site certification Valid site certification if the server’s name matches the host part of the URL the client wants to access Checks security parameters supplied by the SERVERHELLO 10/19/2004

SSL Handshake Client messages: CERTIFICATE C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH SSL Handshake Client messages: CERTIFICATE If server requested a client authentication, client sends CLIENTKEYEXCHANGE Format depends on the key exchange algorithm selected by the server RSA: 48-byte premaster secret encrypted by the server’s public key Diffie-Hellman: public parameters between server and client in SERVERKEYEXCHANGE and CLIENTKEYEXCHANGE msgs. FORTEZZA: token-based key exchange based on public and private parameters Premaster key is transformed into a 48-byte master secret, stored in the session state 10/19/2004

SSL Handshake Client messages: CERTIFICATEVERIFY C  S: [CERTIFICATE] CLIENTKEYEXCHANGE [CERTIFICATEVERIFY] CHANGECIPHERSPEC FINISH SSL Handshake Client messages: CERTIFICATEVERIFY If client authentication is required Provides explicit verification of the use’s identity (personal certificate) CHANGECIPHERSPEC Completes key exchange and cipher specification FINISH Encrypted by the newly negotiated session key Verifies that the keys are properly installed in both sites 10/19/2004

S  C: CHANGECIPHERSPEC FINISH SSL Handshake Server finishes handshake by sending CHANGECIPHERSPEC and FINISH messages After SSL handshake completed a secure connection is established to send application data encapsulated in SSL Record Protocol 10/19/2004

SSL Handshake to Resume session C  S: CLIENTHELLO S  C: SERVERHELLO CHANGECIPHERSPEC FINISH C  S: CHANGECIPHERSPEC 10/19/2004

SSL Change Cipher Spec Protocol A single message with only one byte “1” Cause pending state to become current, hence updating the cipher suite in use 10/19/2004

Transport Layer Security (TLS) Specified as IETF standard RFC 2246 Similar to SSLv3 but with minor differences in record format version number use HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding 10/19/2004

Next Class Kerberos and authentication 10/19/2004