Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4095 Transport Layer Security TLS, Part II

Published bySugiarto Widjaja Modified over 6 years ago

Similar presentations

Presentation on theme: "CSE 4095 Transport Layer Security TLS, Part II"— Presentation transcript:

1 CSE 4095 Transport Layer Security TLS, Part II

2 Handshake Protocol Diagram

3 Recall handshake protocol
ClientHello ServerHello, Certificate*, ServerHelloDone ClientKeyExchange, Finished Finished from server side

4 TLS: sharing session keys
Session key: used only for a session and then discarded Use asymmetric ciphers to exchange or generate keying materials to derive session keys Key exchange Client uses asymmetric encryption to send a pre-master secret securely to the server Key generation Two sides exchange unencrypted components; both then derive symmetric session

5 Key exchange

6 Key generation

7 Perfect forward secrecy
compromising server’s private key would not compromise past sessions Difficult to achieve for RSA Pre-master key encrypted by server’s private key, and is sent over network DH with ephemeral key session keys for past sessions are the only keys that will decrypt the session’s data Keys not transmitted over network

8 Summary of key exchange/generation
Three ways: RSA DH long-term keys DH ephemeral keys: provides perfect forward secrecy

9 SeverKeyExchange sent by the server only when the server Certificate message (if sent) does not contain enough data to allow the client to exchange a premaster secret will be sent immediately after the server Certificate message (or the ServerHello message, if this is an anonymous negotiation (not recommended in practice))

10 SeverKeyExchange (cont’d)
Signature is used to verify identity of server

11 Client certificate Only sent if the server requests a certificate
Send client certificate chain to server If no suitable certificate, must send certificate message of length zero; server decides to proceed or fail Server uses certificate to verifying the CertificateVerify message (when the client authentication is based on signing) or calculating the premaster secret (for non-ephemeral Diffie-Hellman)

12 ClientKeyExchange message
Used to set the premaster secret that will allow each side to agree upon the same pre-master secret. RSA: send RSA-encrypted secret DH fixed, DH-ephemeral: send DH parameters If client has sent certificate containing a static DH exponent, then this message must be empty

13 Client CertificateVerify
This message is only sent following a client certificate that has signing capability (i.e., all certificates except those containing fixed Diffie-Hellman parameters). Basically contain a signature of all the handshake messages, but not including this one This message is used to provide explicit verification of a client certificate.

14 Alert protocol (RFC 2246) When things go wrong an alert is generated
session ends or the recipient is given the opportunity to continue What can go wrong bad_certificate unsupported_certificate certificate_expired handshake_failure unknown_ca

15 ChangeCipherSpec Sent by both the client and the server to notify the receiving party that subsequent records will be protected under the newly negotiated CipherSpec and keys is sent during the handshake after the security parameters have been agreed upon, but before the verifying Finished message is sent Short message only contain record header and value of 1 Mandatory, not encrypted, indicating all later messages will be encrypted

16 SSL/TLS connection everything henceforth is encrypted TCP FIN follows
handshake: ClientHello handshake: ServerHello handshake: Certificate handshake: ServerHelloDone handshake: ClientKeyExchange ChangeCipherSpec handshake: Finished application_data Alert: warning, close_notify SSL/TLS connection everything henceforth is encrypted TCP FIN follows

17 Why need close_notify in TLS?
TCP FIN marks the end of a TCP connection Is close_notify needed? TCP FIN indicated by a bit in TCP header, not encrypted close_notify is a message in Alert protocol, which is encrypted attacker can send a TCP FIN before the end of the session, which cannot be detected if there is no close_notify message

18 TLS protocols Handshaking protocol Record protocol Handshake Protocol
Change Cipher Spec Protocol Alert Protocol Record protocol Lower layer protocol to support handshaking protocol and application data protocol

19 Record protocol 4 types of records Handshake records
ChangeCipherSpec records Alert records application data records

20 Record Protocol Each fragment up to 214 bytes (~16 Kbytes)
data fragment MAC encrypted data and MAC record header Divide data into fragments Each fragment up to 214 bytes (~16 Kbytes) Data and MAC encrypted using symmetric key Record header: content type; version; length

21 SSL/TLS record format data and MAC encrypted (symmetric algorithm)
content type SSL version length MAC data 1 byte 2 bytes 3 bytes data and MAC encrypted (symmetric algorithm)

22 MAC in record keyed MAC (e.g., HMAC) to protect message integrity
Generated as MAC(MAC_write_key, seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length + TLSCompressed.fragment); where "+" denotes concatenation, MAC(): MAC algorithm agreed upon earlier, seq_num: sequence number of the record

23 Questions on MAC Why include both header and content?
Why need to include sequence number? Why no need to include record sequence number explicitly in record? Detect modification in header MAC detect whether a record has been tampered with; record sequence number detects tampering in record order No need to include sequence number since TCP provides in-order Delivery; two sides just counter independently

24 Summary TLS: de facto standard for Internet security
“The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications” Two main protocols Handshaking protocol Record protocol

Download ppt "CSE 4095 Transport Layer Security TLS, Part II"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
Web security: SSL and TLS

Web security: SSL and TLS
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Chapter 8 Web Security.

Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.

Web Security : Secure Socket Layer Secure Electronic Transaction.
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.

December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
Web Security Network Systems Security

Web Security Network Systems Security

Similar presentations

Ads by Google