Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mark Brown RedPhone Security

Published byCory Peters Modified over 6 years ago

Similar presentations

Presentation on theme: "Mark Brown RedPhone Security"— Presentation transcript:

1 Mark Brown RedPhone Security
Transport Layer Security (TLS) Authorization Extensions <draft-housley-tls-authz-extns-01.txt> Mark Brown RedPhone Security Russ Housley Vigil Security

2 Overview (1 of 2) Authorization extensions for the Handshake Protocol in both TLS 1.0 and TLS 1.1 Allow client to provide authorization information to the server Allow server to provide authorization information to the client

3 Overview (2 of 2) Client Server ClientHello
(with AuthorizationData) > ServerHello (with AuthorizationData) Certificate* ServerKeyExchange* CertificateRequest* < ServerHelloDone ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished > < Finished Application Data < > Application Data

4 Two Authorization Formats
enum { x509_attr_cert(0), saml_assertion(1), x509_attr_cert_url(2), saml_assertion_url(3), (255) } AuthzDataFormat; X.509 Attribute Certificate SAML Assertion URL to fetch either of these, with a hash value to ensure that the correct object was obtained

5 AuthorizationData (1 of 2)
struct { AuthorizationDataEntry authz_data_list<1..2^16-1>; } AuthorizationData; AuthzDataFormat authz_format; select (authz_format) { case x509_attr_cert: X509AttrCert; case saml_assertion: SAMLAssertion; case x509_attr_cert_url: URLandHash; case saml_assertion_url: URLandHash; } authz_data_entry; } AuthorizationDataEntry;

6 AuthorizationData (2 of 2)
opaque X509AttrCert<1..2^16-1>; opaque SAMLAssertion<1..2^16-1>; struct { opaque url<1..2^16-1>; HashType hash_type; select (hash_type) { case sha1: SHA1Hash; case sha256: SHA256Hash; } hash; } URLandHash; enum { sha1(0), sha256(1), (255) } HashType;

7 Sensitive Authorization Information
Solved by double handshake Client Server ClientHello (no AuthorizationData) > ServerHello (no AuthorizationData) Certificate* ServerKeyExchange* CertificateRequest* < ServerHelloDone ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished > < Finished (more on next slide)

8 The rest of the double handshake
Client Server ClientHello (with AuthorizationData) > ServerHello (with AuthorizationData) Certificate* ServerKeyExchange* CertificateRequest* < ServerHelloDone ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished > < Finished Application Data < > Application Data

9 More efficient with resumption
Client Server ClientHello (no AuthorizationData) > ServerHello (no AuthorizationData) Certificate* ServerKeyExchange* CertificateRequest* < ServerHelloDone ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished > < Finished (with AuthorizationData) > (with AuthorizationData Application Data < > Application Data

10 Open Issue Need to allow an empty AuthorizationData extension
Client wants authorization information from the server, so it needs to include the extension in the client hello message Server wants to indicate that the authorization information provided by the client was accepted, but the server has none to provide

11 Way Forward Should this become a TLS WG document?
If not, will proceed as standards-track individual submission

Download ppt "Mark Brown RedPhone Security"

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Internet Security CSCE 813 Transport Layer Security

Internet Security CSCE 813 Transport Layer Security
TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.

TESTING CRYPTOGRAPHIC PROTOCOL IMPLEMENTATIONS. Verifying crypto protocols  Lots of formal methods  Good representative: Blanchet’s ProVerif Mainly.
Security at the Transport Layer Lecture 6. Information and Nework Security2 SSL/TLS n SSL was developed by Phil Karlton & Netscape. çThe standards community.

Security at the Transport Layer Lecture 6. Information and Nework Security2 SSL/TLS n SSL was developed by Phil Karlton & Netscape. çThe standards community.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
An Introduction to SSL/TLS and Certificates Providing secure communication over the Internet Frederick J. Hirsch

An Introduction to SSL/TLS and Certificates Providing secure communication over the Internet Frederick J. Hirsch
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
We leave the world of cryptography for a while.

We leave the world of cryptography for a while.
IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech.

IETF 76 – Hiroshima Internet Draft : EAP-BIO Pascal URIEN – Telecom ParisTech Christophe KIENNERT – Telecom ParisTech.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
A Survey of WAP Security Architecture Neil Daswani

A Survey of WAP Security Architecture Neil Daswani
Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices Neil Daswani September 21, 2000.

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices Neil Daswani September 21, 2000.
Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –www.ietf.orgwww.ietf.org.

Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –

Similar presentations

Ads by Google