Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transport Layer Security (TLS) Bill Burr November 2, 2001.

Published byJustine Satterlee Modified over 9 years ago

Similar presentations

Presentation on theme: "Transport Layer Security (TLS) Bill Burr November 2, 2001."— Presentation transcript:

1 Transport Layer Security (TLS) Bill Burr william.burr@nist.gov November 2, 2001

2 Transport Layer Security (TLS)  Version 3.1 of Secure Socket Layer (SSL) –“standardized” by IETF RFC2246 –Several earlier versions V2 not very secure  End-to-end between a client and server –Sits on top of TCP –Requires reliable connection  Most important Internet crypto protocol? –Secure web pages –E-mail and LDAP access control

3 TLS Example: Client Authent. ClientServer Client Hello supported ciphers client_random compression Server Hello TLS_RSA_WITH_3DES... Server_random compression session_ID Certificate Server RSA Certificate Certificate Request certiricte_types certificate_authorities Hello Done Optional messages for client authentication have gold background

4 TLS Example: Client Authent. ClientServer Client Certificate client’s PK certificate Client Key Exchange E SK (pre_master_secret) Certificate Verify Signature (prev. messages) Change Cipher Spec Handshake Finished verify_data Change Cipher Spec Handshake Finished verify_data

5 3DES Cipher Suites  TLS_RSA_WITH_3DES_EDE_CBC_SHA  TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  TLS_RSA_WITH_NULL_SHA

6 AES Cipher Suites  TLS_RSA_WITH_AES_128_CBC_SHA  TLS_DH_DSS_WITH_AES_128_CBC_SHA  TLS_DH_RSA_WITH_AES_128_CBC_SHA  TLS_DHE_DSS_WITH_AES_128_CBC_SHA  TLS_DHE_RSA_WITH_AES_128_CBC_SHA  TLS_RSA_WITH_AES_256_CBC_SHA  TLS_DH_DSS_WITH_AES_256_CBC_SHA  TLS_DH_RSA_WITH_AES_256_CBC_SHA  TLS_DHE_DSS_WITH_AES_256_CBC_SHA  TLS_DHE_RSA_WITH_AES_256_CBC_SHA

7 Pseudorandom Function (PFR)  Feeds a secret, a label, and a seed into an iterated HMAC to generate a pseudorandom stream  Uses SHA1 & MD5 –Intended to be secure if either is secure The secret is split into halves, and one half is fed into the SHA1 HMAC and the other into the MD5 HMAC and the outputs are exclusive ORED. If one hash is bad enough, entropy would be lost.

8 Pseudorandom Function (PRF)

9  Used with pre_master_secret, client-random server_random & label “master_secret” to generate 48-byte master-secret  Used with master_secret, server_random, client_random & label “key expansion” to generate key block  Also used to generate the verify_data key confirmation parameter of the Handshake Finished message

10 Proposed Client Guidance  Only do TLS (version 3.1) –But client is normally expected to be able to do highest version specified in Client Hello, plus every previous version!  Server can choose any suite the client includes in Client Hello message  Offer only 3DES or AES Cipher suites –Never include 40 or 56-bit suites –Encryption not required but anonymous cipher suites not allowed  1024-bit RSA/DSA client certificates are OK until 2015

11 Proposed Server Guidance  Implement only TLS, not SSL –Clients that can’t do TLS are out of luck  Use only 3DES or AES Cipher Suites  Server key management certificate subject key size needs to match confidentiality requirements –If data must be kept secret after 2015, then RSA/DSA encryption keys larger than 1024 are needed.

12 For Maximum Security  RSA or DSA authentication with ephemeral Diffie-Hellman key exchange –E.g., TLS_DHE_RSA_WITH_AES_128_CBC_SHA –Perfect forward secrecy –Potentially large DH keys for long term confidentiality, with whatever authentication key size is currently needed  But, –How many products do ephemeral Diffie-Hellman? –Performance price

13 Issues  Do implementations check server identity?  Use of same RSA server key for authentication and key management  Is payload SHA-1 HMAC strong enough for 112, 128 & 256-bit encryption?  Is 96-bit verify-data key confirmation strong enough for 112, 128 & 256-bit encryption?  Is the PRF strong enough for 112, 128 & 256-bit encryption? –Does MD5 HMAC poison the well?  “Non-standard” signature formts  Diffie-Hellman doesn’t follow a NIST scheme

14 Questions and Discussion

Download ppt "Transport Layer Security (TLS) Bill Burr November 2, 2001."

Similar presentations

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1 Information System Security AABFS-Jordan Summer 2006 Web security: SSL and TLS Prepared by : Mohammed tarawneh Presented to: Dr. Lo’ai Tawalebeh.

1 Information System Security AABFS-Jordan Summer 2006 Web security: SSL and TLS Prepared by : Mohammed tarawneh Presented to: Dr. Lo’ai Tawalebeh.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.

Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

Similar presentations

Ads by Google