1. CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz

2. SSL/TLS

3. Brief history…  SSLv2 deployed in Netscape 1.1 (1995)  Microsoft improved upon it…  Netscape deployed SSLv3 –Most commonly deployed  IETF introduced TLS –Similar, but incompatible…  Here, we just say “SSL”!

4. Broad overview  SSL runs on top of TCP, in a user-level process –Recall, does not require changes to the OS –Using TCP rather than UDP simplifies things Recall, this opens a potential DoS attack

5. Basic protocol flow  Alice (client) sends “hello”, supported crypto, and nonce R A  Bob (server) sends a certificate, selects crypto, and sends nonce R B  Alice encrypts S with Bob’s public key –Alice/Bob derive key(s) from R A, R B, S –Must be careful about which encryption scheme is used!

6. Basic flow, continued…  They each authenticate the initial handshake using the shared key(s)  The keys are used to encrypt/authenticate all subsequent communication –Separate keys shared for encryption and authentication in each direction –Also for IVs… (but this is a flaw!) –Sequence numbers used to prevent replay

7. Note…  As described, SSL only provides one-way authentication (server-to-client)  Not generally common for clients to have public keys  Can do mutual authentication over SSL using, e.g., a password –SSL also allows for clients to have public keys

8. Session resumption  Because it was designed with http traffic in mind, one “session” can be used to derive many secure “connections” –Server assigns a session_id and stores that along with the session key –“Connection keys” can be derived from the session key (assumes the client remembers it) and fresh nonces –Can always re-derive a session key (expensive!)

9. Some attacks (and fixes)  Man-in-the-middle can downgrade the acceptable crypto in Alice’s first message –One of the problems with negotiating crypto… –Fixed by authenticating handshake phase  An adversary could also close a connection early (TCP close_connection_request was not integrity-protected) –Fixed by adding “finish” message which is authenticated

10. PGP

11. Overview  There are many schemes for “secure email”  PGP is popular for a number of reasons… –…one of which is its PKI model (i.e., the “web of trust”)

12. Overview  PGP provides for both encryption and digital signatures  Encryption –Standard techniques… –Multiple recipients handled efficiently  Signatures –Again, standard techniques…

13. “Web of trust”  Anarchy model  User defined level of trust in any signature / principal  Can be simplified somewhat if the user chooses to do so…

14. Summary of course