Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSL and IPSec CS461/ECE422 Spring 2012. Reading Chapter 22 of text Look at relevant IETF standards.

Similar presentations


Presentation on theme: "SSL and IPSec CS461/ECE422 Spring 2012. Reading Chapter 22 of text Look at relevant IETF standards."— Presentation transcript:

1 SSL and IPSec CS461/ECE422 Spring 2012

2 Reading Chapter 22 of text Look at relevant IETF standards

3 SSL Transport layer security – Provides confidentiality, integrity, authentication of endpoints – Developed by Netscape for WWW browsers and servers Internet protocol version: TLS – Compatible with SSL – Standard rfc2712rfc2712

4 Working at Transport Level Data link, Network, and Transport headers sent unchanged Original transport header can be protected if tunneling Ethernet Frame Header IP Header TCP Header TCP data stream Encrypted/authenticated Regardless of application

5 SSL Sessions and Connections SSL Sessions – Association between client and server – Created by Handshake protocol – Defines set of cryptographic security parameters SSL Connections – A transport-level connection – Potentially many connections per session – Share cryptographic parameters of session

6 SSL Protocol Stack

7 SSL Record Protocol Operation

8 Slide #11-8 Record Protocol Overview Lowest layer, taking messages from higher –Max block size 16,384 bytes –Bigger messages fragmented into multiple blocks –Construction –Block b compressed; call it b c –MAC computed for b c If MAC key not selected, no MAC computed –b c, MAC enciphered If enciphering key not selected, no enciphering done –SSL record header prepended

9 SSL Handshake Protocol Used to initiate connection – Sets up parameters for record protocol – 4 rounds Upper layer protocol – Invokes Record Protocol Note: what follows assumes client, server using RSA as interchange cryptosystem

10 Handshake Protocol: Phase 1 and 2

11 Handshake Round 1 Client Server { v C || r 1 || s 1 || ciphers || comps } Client Server {v || r 2 || s 1 || cipher || comp } v C Client’s version of SSL vHighest version of SSL that Client, Server both understand r 1, r 2 nonces (timestamp and 28 random bytes) s 1 Current session id (0 if new session) ciphersCiphers that client understands compsCompression algorithms that client understand cipherCipher to be used compCompression algorithm to be used

12 Handshake Round 2 Client Server {certificate } Note: if Server not to authenticate itself, only last message sent; third step omitted if Server does not need Client certificate k S Server’s private key ctypeCertificate type requested (by cryptosystem) gcaAcceptable certification authorities er2End round 2 message Client Server {mod || exp || Sig S (h(r 1 || r 2 || mod || exp)) } Client Server {ctype || gca } Client Server {er2 }

13 Handshake Protocols: Phases 3 and 4

14 Handshake Round 3 Client Server { pre }Pub S msgsConcatenation of previous messages sent/received this handshake opad, ipadAs above Client Server { h(master || opad || h(msgs || master | ipad)) } Both Client, Server compute master secret master: master =MD5(pre || SHA(‘A’ || pre || r 1 || r 2 ) || MD5(pre || SHA(‘BB’ || pre || r 1 || r 2 ) || MD5(pre || SHA(‘CCC’ || pre || r 1 || r 2 ) Client Server { client_cert }

15 Handshake Round 4 Client Server { h(master || opad || h(msgs || 0x434C4E54 || master || ipad )) } msgsConcatenation of messages sent/received this handshake in previous rounds (does notinclude these messages) opad, ipad, masterAs above Client Server { h(master || opad || h(msgs || 0x53525652 || master | ipad)) } Server sends “change cipher spec” message using that protocol Client Server Client sends “change cipher spec” message using that protocol Client Server

16 Supporting Crypto Algorithms The standard dictates algorithms that must be supported – Classical ciphers ensure confidentiality, cryptographic – checksums added for integrity Only certain combinations allowed – Won’t allow really weak confidentiality algorithm with really strong authentication algorithm Standard is augmented over time – E.g., AES added in 2002 by rfc3268

17 RSA: Cipher, MAC Algorithms

18 MITM Attacks Classic attack foiled by certificates Assuming certificates can be verified correctly Not necessarily the case if the root certificates cannot be trusted More subtle attacks appear over time – TLS Authentication Gap Interaction of TLS and HTTP http://www.phonefactor.com/sslgap Application above SSL/TLS tends to be HTTP but does not have to be

19 IPsec Network layer security – Provides confidentiality, integrity, authentication of endpoints, replay detection Protects all messages sent along a path dest gw2gw1 src IP IP+IPsecIP security gateway

20 Standards Original RFC’s 2401-2412 Mandatory portion of IPv6 Bolted onto IPv4 Newer standards – IKE: Standardized Key Management Protocol RFC 2409 RFC 2409 – NAT-T: UDP encapsulation for traversing address translation RFC 3948RFC 3948

21 Network Level Encryption Data link header and network header is unchanged With tunneling original IP header can be protected Ethernet Frame Header IP Header IP packet Encrypted/authenticated Regardless of application

22 IPsec Transport Mode Encapsulate IP packet data area Use IP to send IPsec-wrapped data packet Note: IP header not protected encapsulated data body IP header

23 IPsec Tunnel Mode Encapsulate IP packet (IP header and IP data) Use IP to send IPsec-wrapped packet Note: IP header protected encapsulated IP header and data body IP header

24 IPsec Protocols Authentication Header (AH) – Integrity of payload – Integrity of outer header – Anti-replay Encapsulating Security Payload (ESP) – Confidentiality of payload and inner header – Integrity of payload (and now header)

25 ESP and integrity Originally design, use AH to add integrity if needed. Bellovin showed integrity is always needed – So added directly to ESP – http://www.cs.columbia.edu/~smb/pape rs/badesp.pdf http://www.cs.columbia.edu/~smb/pape rs/badesp.pdf

26 IPsec Architecture Security Association (SA) – Association between peers for security services Identified uniquely by dest address, security protocol (AH or ESP), unique 32-bit number (security parameter index, or SPI) – Unidirectional Can apply different services in either direction – SA uses either ESP or AH; if both required, 2 SAs needed

27 SA Database Entries Sequence number counter Sequence counter overflow Anti-replay window AH or ESP information: algorithms, keys, key lifetimes Lifetime of SA IPSec mode: Tunnel or transport PathMTU

28 ESP Header

29 Slide #11-29 Key Points Separation of negotiation phase and operational phase Standardized elements for algorithm support Similar functionality between SSL and IPSec Difference in network stack level


Download ppt "SSL and IPSec CS461/ECE422 Spring 2012. Reading Chapter 22 of text Look at relevant IETF standards."

Similar presentations


Ads by Google