Cryptography 1 Three methods: Symmetric key Asymmetric key Hashing.

Slides:



Advertisements
Similar presentations
Web security: SSL and TLS
Advertisements

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Introduction to Cryptography
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Cryptography and Network Security Chapter 17
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Chapter 8 Web Security.
CN8816: Network Security1 Confidentiality, Integrity & Authentication Confidentiality - Symmetric Key Encryption Data Integrity – MD-5, SHA and HMAC Public/Private.
CSCI 6962: Server-side Design and Programming
Chapter 31 Network Security
Public Key Cryptography July Topics  Symmetric and Asymmetric Cryptography  Public Key Cryptography  Digital Signatures  Digital Certificates.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Secure Socket Layer (SSL)
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Lecture 2: Introduction to Cryptography
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptography Three methods: Symmetric key Asymmetric key Hashing.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
Cryptography 1 Three methods: Symmetric key Asymmetric key Hashing.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Whatsapp Security Ahmad Hijazi Systèmes de Télécommunications & Réseaux Informatiques (STRI) 20 April 2016.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
The Secure Sockets Layer (SSL) Protocol
Web Applications Security Cryptography 1
Computer Communication & Networks
Secure Sockets Layer (SSL)
CS 465 TLS Last Updated: Oct 31, 2017.
Cryptography and Network Security
The Secure Sockets Layer (SSL) Protocol
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Cryptography 1 Three methods: Symmetric key Asymmetric key Hashing

Symmetric Key Encryption Encryption of almost everything Data at rest: disk encryption, files, data bases Data in motion: SSL/TLS, IPsec Today’s standards Advanced Encryption Standard: AES-128 and AES-256 Processor hardware acceleration for Galois/Counter Mode (GCM) < 1% performance impact SDP/PA use AES-256 for Single Packet Authorization TLS communication Shared key encryption The same key used to encrypt, also decrypts Must be kept secret !!! Very difficult to transmit a secret across an untrusted network 2

Asymmetric Key (a.k.a. Public Key) Cryptography Purpose Exchange secrets over an untrusted network Secretly (encrypted) and with integrity (signed) Only encrypts small pieces of data Message must be smaller than the asymmetric key Only used for 2 things Encrypt symmetric keys (common for data at rest) Encrypt hashes (together known as a “signature”) Today’s standards Diffie-Hellman, RSA (PKCS#1), Digital Signature Standard (DSS) SDP/PA use asymmetric key encryption for: Encrypting keys on disk Exchanging symmetric keys & creating signatures for the TLS handshake Generating and validating X.509 certificates 3

Hash (a.k.a. Message Authentication Code or MAC) Converts an arbitrarily long message into a single number The number is “Unique”– typical values are 2 256, 2 384, = Approx. # atoms in observable universe Cannot be reversed Once converted to a hash, cannot be convert back into the message Re-hash the message and compare hashes Same hash means same message Today’s standards Secure Hash Algorithm 1 (SHA-1) – widely used, considered insecure SHA-2 family of hashes, typical use: 256, 384, 512-bit SHA-3 released Aug 5, 2015 Message Digest 5 (MD5) – considered cryptographically broken SDP/PA use hashing for: One Time Password (OTP) and GMAC of Single Packet Authorization (SPA) Integrity of TLS handshake X.509 certificates (prior to being encrypted with asymmetric keys) Derivation of TLS symmetric keys and Initialization Vectors (IV) 4 Key Derivation Function (KDF) K m = create master key K 1 = H[K m ] K 2 = H[K 1 ] K 3 = H[K 2 ] K 4 = H[K 3 ]

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Cryptography Only 3 methods Symmetric key encryption Asymmetric key encryption Hashing (MAC) Almost always used in combination Example Method for SSL/TLS connection 5 TLS suite cypher suite TLS suite cypher suite Generate asymmetric keys Generate asymmetric keys Exchange asymmetric keys Authentication via asymmetric & hashing Symmetric key encryption Symmetric key & hashing Hash

Symmetric Key Encryption with Message Authentication 6

7 Symmetric Key Encryption EkEk EkEk PT Untrusted Network Untrusted Network DkDk DkDk PT Cypher Text (CT)

Symmetric Key Encryption & Block Cyphers EkEk EkEk PT Untrusted Network Untrusted Network DkDk DkDk PT Cypher Text (CT) PT CT XOR

CT Symmetric Key Encryption & Block Cyphers EkEk EkEk PT Untrusted Network Untrusted Network DkDk DkDk PT Cypher Text (CT) PT XOR CT XOR PT CT

10 Symmetric Key Encryption & Message Authentication EkEk EkEk PT Untrusted Network Untrusted Network DkDk DkDk PT Cypher Text (CT) PT XOR CT XOR PT CT EkEk EkEk PT Untrusted Network Untrusted Network DkDk DkDk PT Cypher Text (CT)

CT 11 Symmetric Key Encryption & Message Authentication EkEk EkEk PT Untrusted Network Untrusted Network DkDk DkDk PT Cypher Text (CT) Function HiHi HiHi H i-1 Func Input XOR out Hash CT Input XOR Hash XOR

Galois/Counter Mode (GCM) and GMAC 12

13 Galois/Counter Mode (GCM) and GMAC EkEk EkEk PT 1 CT 1 GHASH m+1 GHASH m+n EkEk EkEk PT n CT n len(PT) GHASH EkEk EkEk IV || 0 32 TAG E k is the encryption algorithm and key, which is AES 256 PT is Plain Text that gets encrypted into Cypher Text (CT) All blocks are 128 bits in length IV is a 96-bit Initialization Vector, which is a nonce 1 st counter block is the IV followed by the 32-bit number “1” The output is the Cypher Text and the Tag AD is Additional Data (that does not get encrypted) EkEk EkEk GHASH 0 AD m GHASH m AD 1 GHASH n n IV || 1 IV || n len(AD) || len(PT)

Asymmetric Key Cryptography (Public Key) 14

Algorithms generate 2 keys Private key is kept private, public key is shared Elliptic curve keys are hundreds of bits RSA keys are thousand bits Message smaller than the key 2 uses Encrypt a symmetric key Alice encrypt the symmetric key with Bob’s public key So Bob can decrypt with his private key Encrypt a hash (MAC) Alice encrypt the hash with Alice’s private key So Bob can decrypt it with Alice’s public key Untrusted Network Untrusted Network Asymmetric Key Cryptography 15 m m Message For example: Symmetric key m e mod n Encryption “e” is Bob’s public key c c Cypher Text c d mod n Decryption “d” is Bob’s Private key m m Message Math Example (RSA) AliceBob Concerns: 1. How does Alice know it’s Bob’s key? Answer: Public Key Infrastructure 2.If the conversation is recorded And if Bob’s private key is compromised Then attacker can decrypt message Solution: Perfect Forward Secrecy (m e ) d ≡ m e*d ≡ m 1 ≡ m (mod n)

Perfect Forward Secrecy Compromise of long term key Does not compromise past keys Thought exercise/analogy Diffie-Hellman Ephemeral (DHE) But with buckets of paint* Thought exercise/small numbers Also from Wikipedia Remember this is not RSA math Perfect Forward Secrecy Not encrypted key sent to another Random keys, neither knows both 16 AliceBob Both agree on a common color Both choose a secret color Each separately blends their secret color with the common color + = + = + = Each separately blends their secret color with the other’s blended color Both arrive at the same common blended color (a common secret) + = Exchange Blends Each now has the other’s blended color * Wikipedia “Diffie–Hellman key exchange” g = common # = 5 p = modulus = 23 a = 6b = 15 A = 5^6 mod 23 = 8B = 5^15 mod 23 = ^6 mod 23 = 28^15 mod 23 = 2

Asymmetric Key Summary 2 uses of asymmetric key Encrypt symmetric key (using receiver’s public) Encrypt hashes (using sender’s private) RSA math (m e ) d ≡ m e*d ≡ m 1 ≡ m (mod n) Crypto of symmetric keys and hashes Diffie-Hellman analogy Paint buckets (g a ) b (mod n) ≡ (g b ) a (mod n) Perfect Forward Secrecy Becomes basis for pre-master key 17

Public Key Infrastructure (PKI) 18

Public Key Infrastructure (PKI) What is it used for? Create and distribute digital certificates Acts as a trusted 3 rd party Enables authentication over an untrusted network SDP/PA use it for Mutual Authentication of: Clients to Controllers Clients to Gateways Gateways to Controllers Basically, all trust Mutual trust, not just single-ended How does it work? 19 Untrusted Network Untrusted Network 1.Private Key 2.Public key / Certificate 3.Trusted Root certificate Mutual Authentication Certificate Authority (Trusted 3 rd Party) Certificate Authority (Trusted 3 rd Party) 1.Private Key 2.Public key / Certificate 3.Trusted Root certificate

Root Cert CA 20 Initialization of PKI Certificate Authority (CA) subj: Vidder issuer: Vidder Signature Vidder Public Hash subj: Vidder issuer: Vidder Signature Vidder Public OCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert

Server Cert 21 Server Gets a Private Key and Certificate subj: Vidder issuer: Vidder Signature Vidder Public Root Cert CA subj: Server issuer: Vidder Signature Server Public Hash subj: Vidder issuer: Vidder Signature Vidder Public Root Cert OCSP CRL subj: Server issuer: Vidder Signature Server Public Server Cert subj: Server issuer: Vidder Signature Server Public Server Cert

22 PKI Part of TLS CAOCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Server issuer: Vidder Signature Server Public Server Cert Serial # Validity Time Signature Good Hash Serial # Validity Time Signature Good OCSP Response Hash Original Hash Equal ? Hash Original Hash Equal ? Valid certifacate Not expired Not revoked Cert is trusted !!! subj: Vidder issuer: Vidder Signature Vidder Public Root Cert

23 Client Certificate Client Universal ID Client Universal ID Subject Issuer Serial # Public Key Rest of Cert Hash for Signature Signature (not Hashed) Signature (not Hashed) Key Usage see RFC 5280 pg. 29 Key Usage see RFC 5280 pg. 29 Pinned to SDP

Is PKI Broken? Is it broken? No The technology is sound Is it broken in some other way? Yes The hundreds of certificate authorities should not be trusted DigiNotar compromised – Google’s service was compromised in Iran Root cert injection creates additional trusted websites Sophisticated attack that undermines trust Certificate subject is a name, not an IP address DNS spoofing can fool PKI Requires revocation checking Enables DoS attack of the infrastructure Does Vidder fix it? Yes Dedicated PKI means only the SDP’s certificate authority is trusted Additional root certs cannot be injected – the one and only root is encrypted on disk Certificate subject is an IP address, not a name – spoofing is not possible OCSP responses are “stapled” – defeating DoS attacks 24 Untrusted Network Untrusted Network 1.Private Key 2.Public key / Certificate 3.Trusted Root certificate Mutual Authentication Certificate Authority (Trusted 3 rd Party) Certificate Authority (Trusted 3 rd Party) 1.Private Key 2.Public key / Certificate 3.Trusted Root certificate

PKI Summary PKI’s purpose is to Create and distribute digital certificates Act as a trusted 3 rd party Enables authentication over an untrusted network PKI consists of a root cert and certs derived from it Everyone inherently trusts the root Certificates can be cryptographically proven Signing proves the certificated hasn’t been altered Signature: encrypts the hash with issuer’s private key Creates a chain of trust that must be validated The public implementation of PKI is “broken” But the technology is not SDP’s implementation fixes the breakage 25 Untrusted Network Untrusted Network 1.Private Key 2.Public key / Certificate 3.Trusted Root certificate Mutual Authentication Certificate Authority (Trusted 3 rd Party) Certificate Authority (Trusted 3 rd Party) 1.Private Key 2.Public key / Certificate 3.Trusted Root certificate

SDP Device Authentication 26 1.SPA 2.Mutual TLS 3.Fingerprint

SDP Device Authentication 27 Single Packet Authorization (SPA)

28 Attacks on SSL/TLS NameDateAttackUnauthorizedAuthorized Users SSLstripFeb 2009http to httpsSPANo http DigiNotarSept 2011MitM forged certsSPAPinned certs THC-SSL-DOSOct 2011DoS attack on SSLSPADevice deleted BEASTApr 2012Java Applet oracleSPAClient-based CRIMESept 2012MitM SPDY compressing oracleSPANo compression Lucky 13Feb 2013MitM CBC padding oracleSPAGCM TIMEMar 2013Browser JavaScript timing oracleSPAClient-based RC4 biasesMar 2013MitM RC4 oracleSPANo cypher negotiation BREACHAug 2013Website redirect, compressionSPANo redirect or compression goto failFeb 2014MitM counterfeit key via coding errorSPAPinned dedicated cert Triple HandshakeMar 2014Server MitM on client certSPAPinned dedicated cert HeartbleedApr 2014OpenSSL bugSPANot single-ended SSL BERserkSept 2014MitM PKCS#1.5 paddingSPANot Mozilla NSS PoodleOct 2014MitM SSLv3 oracleSPANo cypher negotiation Poodle++Dec 2014MitM JavaScript timing oracleSPAClient-based FREAKMar 2015MitM negotiation 512 bit keySPANo key negotiation Bar-mitzvahMar 2015View RC4SPANo RC4 logjamMay 2015MitM downgrade to 512 bit keySPANo suite negotiation PrecisionAccess defeats all recent attacks on SSL/TLS by both Unauthorized and Authorized users

Single Packet Authorization (SPA) History: Invented >10 years ago Commonly used for super user ssh access to servers Mitigates attacks by unauthorized users SPA in the Software Defined Perimeter Spec Based on RFC 4226, "HOTP” HMAC-based One-Time Password Used for hardware/software one time password tokens SPA occurs before TLS (SSL) connection Mitigates DoS & other TLS attacks by unauthorized users 29 SPA = UID, CTR, OTP, GMAC Each client has a UID, Seed, CTR, and E K UID = Universal ID of SDP Client CTR = hashed with seed to create OTP OTP = One-Time Password GMAC = signature of UID, CTR, and OTP for data authentication Seed = shared secret for OTP E K = shared key for GMAC AES-256 OTP = HMAC[seed || CTR] GMAC = E K [UID || OTP || CTR] UID, OTP, CTR, & GMAC are sent as clear text. Counter is increment to mitigate playback attacks Highly efficient rejection Defeats DoS & other attacks on SSL UID OTP Counter GMAC 32-bit64-bit32-bit128-bit

SDP Device Authentication 30 mutual TLS

Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 EC: Elliptic Curve cryptography Smaller keys / faster math than RSA cryptography DHE: Diffie-Hellman key exchange algorithm Generates the pre-master keys of GCM Ephemeral keys per session for Perfect Forward Secrecy But not client or server authentication RSA: Public/private key pair with an X.509 certificate Client and server authentication Vidder’s implementation: Certificates “pinned” to a trusted root certificate Not the hundreds of (possibly compromised) roots browsers trust Employs OCSP stapling (RFC 6066) Forwards the OCSP response with TLS Server hello Reduces the load on the OCSP responder Mitigates a DoS attack of the OCSP responder Mutual TLS Authentication of the client to server & server to client 31 AES256-GCM: Advanced Encryption Standard (NIST FIPS 197) Symmetric key encryption 256-bit key, 128-bit cipher block size Galois/Counter Mode Encryption with simultaneously data authentication PC’s and servers implement GCM in hardware Negligible performance impact SHA384: Secure Hash Algorithm (member of SHA-2) Generates a 384 bit hash Key Derivation Function (KDF) for generating keys from master

SDP Device Authentication 32 mutual TLS Handshake Deep Dive for: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Root Cert CA 33 Controller’s PKI Certificate Authority (CA) Initialization subj: Vidder issuer: Vidder Signature Vidder Public Hash subj: Vidder issuer: Vidder Signature Vidder Public OCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert

Controller Cert 34 Controller Initialization subj: Vidder issuer: Vidder Signature Vidder Public Root Cert CA subj: Ctrl issuer: Vidder Signature Ctrl Public Hash subj: Vidder issuer: Vidder Signature Vidder Public Root Cert OCSP CRL subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert

35 Mutual TLS: Client Initialization subj: Vidder issuer: Vidder Signature Vidder Public Root Cert CA subj: Client issuer: Vidder Signature Client Public Hash subj: Vidder issuer: Vidder Signature Vidder Public Root Cert OCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert Private key put in Certificate Store as Non-Exportable

subj: Vidder issuer: Vidder Signature Vidder Public Root Cert 36 Mutual TLS: Client Hello subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert CAOCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert Client Hello Highest SSL version, Ciphers supported, Session Id = 0, Client RND OCSP status

subj: Vidder issuer: Vidder Signature Vidder Public Root Cert 37 Mutual TLS: Server Hello subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert CAOCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert Serial # Validity Time Signature Good Hash Server Hello Selected SSL version, Selected Cipher, Session Id = RND, Server RND Serial # Validity Time Signature Good OCSP Response Certificate request (Vidder root only) Server Done Certificate request (Vidder root only) Server Done Server Key Exchange βG Cr, Sr, βG βG Cr, Sr, βG Hash Random starting point “β” Calculate βG Server Key Exchange βG Cr, Sr, βG βG Cr, Sr, βG Signature

subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert Hash Original Hash Server Key Exchange βG Cr, Sr, βG βG Cr, Sr, βG Signature subj: Vidder issuer: Vidder Signature Vidder Public Root Cert 38 Mutual TLS: Client Verifies Server Cert subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert CAOCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert Equal ? Server Hello Selected SSL version, Selected Cipher, Session Id = RND, Server RND Serial # Validity Time Signature Good OCSP Response Hash Original Hash Equal ? Certificate request (Vidder root only) Server Done Certificate request (Vidder root only) Server Done Hash Cr, Sr, βG Hash Equal ? Valid cert chain Not expired Not revoked βGβG Controller’s cert is trusted !!!

subj: Client issuer: Vidder Signature Client Public Client Cert 39 Mutual TLS: Client Key, Client Cert, Verify Client subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert CAOCSP CRL subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert Hash Original Hash Equal ? Serial # Validity Time Signature Good Hash Serial # Validity Time Signature Good OCSP Response Serial # Validity Time Signature Good OCSP Response Hash Original Hash Equal ? Certificate Verify All text Hash Signature Hash Signature Certificate Verify All text Hash Equal ? Valid cert chain Not expired Not revoked αG Client’s cert is trusted !!! Random starting point “α” Calculate αG αG Client is trusted !!! Serial #

40 Mutual TLS: Calculate Final ECDH Key, Derive Session Keys Created β Received αG ECDH = β(αG) Created α Received βG ECDH = α(βG) Find point ECDH on the elliptic curve Premaster key (Kpm) = x coord of ECDH Master Key (Km) = PRF(Kpm, "master secret", Cr, Sr) Iterate PRF(Km, "key expansion", Sr, Cr) for AES keys: Client Key, Server Key, Client IV, Server IV CAOCSP CRL subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert

subj: Client issuer: Vidder Signature Client Public Client Cert CAOCSP CRL subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert 41 Mutual TLS: Client Change Cipher Spec, Server Integrity Check Equal ? Change Cypher Spec Certificate Verify All text Hash Signature Hash Signature Certificate Verify All text Hash Equal ?

42 Mutual TLS: Server Change Cipher Spec, Client Integrity Check subj: Client issuer: Vidder Signature Client Public Client Cert CAOCSP CRL subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert subj: Client issuer: Vidder Signature Client Public Client Cert subj: Vidder issuer: Vidder Signature Vidder Public Root Cert PA Certificate Verify All text Hash Signature Hash Signature Certificate Verify All text Hash Equal ? Change Cypher Spec subj: Ctrl issuer: Vidder Signature Ctrl Public Controller Cert

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.