Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

Published byJaxson jay Stephans Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 378 SSL/TLS

2 slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications” In practice, used to protect information transmitted between browsers and Web servers uBased on Secure Sockets Layers protocol, ver 3.0 Same protocol design, different algorithms uDeployed in nearly every Web browser

3 slide 3 SSL / TLS in the Real World

4 slide 4 TLS is an Application-Layer Protocol application presentation session transport network data link physical IP TCP email, Web, NFS RPC 802.11 Protects againt application-level threats (server impersonation, eavesdropping), NOT against TCP/IP threats (spoofing, SYN flood, DDoS)

5 slide 5 History of the Protocol uSSL 1.0 Internal Netscape design, early 1994? Lost in the mists of time uSSL 2.0 Published by Netscape, November 1994 Several weaknesses uSSL 3.0 Designed by Netscape and Paul Kocher, November 1996 uTLS 1.0 Internet standard based on SSL 3.0, January 1999 Not interoperable with SSL 3.0 –TLS uses HMAC instead of MAC; can run on any port

6 slide 6 “Request for Comments” uNetwork protocols are usually disseminated in the form of an RFC uTLS version 1.0 is described in RFC 2246 uIntended to be a self-contained definition of the protocol Describes the protocol in sufficient detail for readers who will be implementing it and those who will be doing protocol analysis Mixture of informal prose and pseudo-code

7 slide 7 Evolution of the SSL/TLS RFC

8 slide 8 TLS Basics uTLS consists of two protocols Familiar pattern for key exchange protocols uHandshake protocol Use public-key cryptography to establish a shared secret key between the client and the server uRecord protocol Use the secret key established in the handshake protocol to protect communication between the client and the server uWe will focus on the handshake protocol

9 slide 9 TLS Handshake Protocol uTwo parties: client and server uNegotiate version of the protocol and the set of cryptographic algorithms to be used Interoperability between different implementations of the protocol uAuthenticate client and server (optional) Use digital certificates to learn each other’s public keys and verify each other’s identity uUse public keys to establish a shared secret

10 slide 10 Handshake Protocol Structure C ClientHello ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone S [Certificate], ClientKeyExchange, [CertificateVerify] Finished switch to negotiated cipher Finished switch to negotiated cipher Record of all sent and received handshake messages

11 slide 11 ClientHello C S Client announces (in plaintext): Protocol version he is running Cryptographic algorithms he supports

12 slide 12 struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites; CompressionMethod compression_methods; } ClientHello ClientHello (RFC) Highest version of the protocol supported by the client Session id (if the client wants to resume an old session) Set of cryptographic algorithms supported by the client (e.g., RSA or Diffie-Hellman)

13 slide 13 ServerHello C C, Version c, suite c, N c ServerHello S Server responds (in plaintext) with: Highest protocol version supported by both client and server Strongest cryptographic suite selected from those offered by the client

14 slide 14 ServerKeyExchange C Version s, suite s, N s, ServerKeyExchange S Server sends his public-key certificate containing either his RSA, or his Diffie-Hellman public key (depending on chosen crypto suite) C, Version c, suite c, N c

15 slide 15 ClientKeyExchange C Version s, suite s, N s, sig ca (S,K s ), “ServerHelloDone” S C, Version c, suite c, N c ClientKeyExchange Client generates some secret key material and sends it to the server encrypted with the server’s public key (if using RSA)

16 slide 16 struct { select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys } ClientKeyExchange struct { ProtocolVersion client_version; opaque random[46]; } PreMasterSecret ClientKeyExchange (RFC) Random bits from which symmetric keys will be derived (by hashing them with nonces)

17 slide 17 “Core” SSL 3.0 Handshake C Version s =3.0, suite s, N s, sig ca (S,K s ), “ServerHelloDone” S C, Version c =3.0, suite c, N c {Secret c } Ks switch to key derived from secret c If the protocol is correct, C and S share some secret key material (secret c ) at this point switch to key derived from secret c

18 slide 18 Version Rollback Attack C Version s =2.0, suite s, N s, sig ca (S,K s ), “ServerHelloDone” S C, Version c =2.0, suite c, N c {Secret c } Ks C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that does not include “Finished” messages) Server is fooled into thinking he is communicating with a client who supports only SSL 2.0

19 slide 19 SSL 2.0 Weaknesses (Fixed in 3.0) uCipher suite preferences are not authenticated “Cipher suite rollback” attack is possible uWeak MAC construction uSSL 2.0 uses padding when computing MAC in block cipher modes, but padding length field is not authenticated Attacker can delete bytes from the end of messages uMAC hash uses only 40 bits in export mode uNo support for certificate chains or non-RSA algorithms, no handshake while session is open

20 slide 20 “Chosen-Protocol” Attacks uWhy do people release new versions of security protocols? Because the old version got broken! uNew version must be backward-compatible Not everybody upgrades right away uAttacker can fool someone into using the old, broken version and exploit known vulnerability Similar: fool victim into using weak crypto algorithms uDefense is hard: must authenticate version early uMany protocols had “version rollback” attacks SSL, SSH, GSM (cell phones)

21 slide 21 Version Check in SSL 3.0 C Version s =3.0, suite s, N s, sig ca (S,K s ), “ServerHelloDone” S C, Version c =3.0, suite c, N c {Version c,Secret c } Ks switch to key derived from secret c If the protocol is correct, C and S share some secret key material secret c at this point switch to key derived from secret c “Embed” version number into secret Check that received version is equal to the version in ClientHello

22 slide 22 SSL/TLS Record Protection Use symmetric keys established in handshake protocol

23 slide 23 Reading Assignment uStallings 7.1 and 7.2

Download ppt "Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security."

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security

ECE 454/CS 594 Computer and Network Security
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
The Secure Socket Layer Protocol (SSL) CS391. Overview.

The Secure Socket Layer Protocol (SSL) CS391. Overview.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Similar presentations

Ads by Google