Transport Layer Security

Size: px
Start display at page:

Download "Transport Layer Security"

Transcription

1 Cryptography and Security in Communication Networks Transport Layer Security ETTI - Master - Advanced Wireless Telecommunications

2 Secure channels Secure data delivery on insecure networks Create a secure channel using a protocol that can provide the required security services. Internet Alice Trudy Bob Typical protocol components Authenticated key-establishment protocol provides a master shared secret for the current session. Operational keys for SKE and MAC are derived using a PRF from the master secret. Message authentication with MAC & appropriate encapsulation. Message encryption using SKE & appropriate encapsulation. Other mechanisms, e.g., for stream integrity, anti-replay. Octavian Catrina 2

3 Secure channels and network layers 1/3 At what layer should we create a secure channel? Depends on the problem we have to solve! Security requirements for DL, NL, TL and applications. E.g., protect all packets exchanged over WLAN; authenticate IP routing info advertisements; authenticate DNS records; provide authentication and integrity and/or confidentiality for interactive application sessions (e.g., HTTP) or messages (e.g., ). WLAN LAN WAN LAN Host Access Point LAN switch Router WAN switch WAN switch Router LAN switch Host Appl. Appl. TL TL NL - - NL - - NL - NL DL DL DL DL DL DL DL DL DL PHY PHY PHY PHY PHY PHY PHY PHY PHY Octavian Catrina 3

4 Secure channels & network layers 2/3 Security at Data-link layer Advantages: Covers all traffic on a link (upper layer protocols and apps). Best way to protect all traffic on wireless (radio) channels. Best way to control network access, at edge. Transparent for upper layer protocols & apps. Hardware implementation (NIC). Main limitations: Per-hop security, not end-to-end. Security at Network layer (IP) Advantages: Covers all IP traffic end-to-end (assuming IP end-to-end). Transparent for upper layer protocols & apps. Hardware implementation possible. Main limitations: Low flexibility & application control (same security for all). Datagram security only. No data stream integrity. Octavian Catrina 4

5 Secure channels & network layers 3/3 Security at Transport/Session layer Advantages: End-to-end data stream security. Applications can control what security services are used. Limitations: Not fully transparent for users and applications. Difficult to ensure appropriate security for all applications run by employees on their PCs. No protection for lower layer traffic. No hardware implementation. Security at application level Advantages: Security services fully adapted to application needs. Disadvantages: We have to design & implement security per application (much harder for secure protocols). Octavian Catrina 5

6 Authenticated encryption Authenticated encryption Combination of encryption and message authentication. Never use encryption without MAC. If confidentiality is not necessary, use MAC alone. Composition of MAC and encryption schemes Variant Protected message Example Provable security Encrypt then MAC (ETM) MAC then Encrypt (MTE) MAC and Encrypt (MAE) E K1 (m) MAC K2 (E K1 (m)) IPsec Secure composition independent of schemes. Recommended method. E K1 (m MAC K2 (m)) TLS Secure composition for certain (usual) combinations of schemes. E K1 (m) MAC K2 (m) SSH Not provable as general composition method (secure in particular cases). Dedicated authenticated-encryption schemes More efficient than composition techniques. Examples: CCM (Counter with CBC-MAC Mode), NIST SP800-38C. E.g., IEEE i. GCM (Galois/Counter Mode), NIST SP800-38D. E.g., IEEE 802.1ae. Octavian Catrina 6

7 TLS (Transport Layer Security) protocol

8 TLS protocol TLS protocol Provides a secure communication channel on top a reliable transport protocol, usually TCP. Widely used by in Web browsers and servers (http over TLS: A.k.a. SSL: Secure Socket Layer. Security services HTTP FTP... TLS (a.k.a SSL) TCP Secure connection setup, including key exchange with server authentication and (optionally) client authentication. Authenticated encryption of application data (SE + MAC). Development and standardization Originally developed by Netscape; last version: SSL v3.0. Adopted by IETF as TLS 1.0, specified in RFC Current spec.: TLS 1.2, RFC 5246, 2008 (and other RFCs). Octavian Catrina 8 IP

9 TLS sessions and connections TLS session Association between a client and a server that defines a set of cryptographic security parameters. These parameters can be shared among multiple TLS connections. Session setup provides: Negotiation of cryptographic mechanisms ("cipher-suites"). Server and client authentication. Exchange of basic key material. TLS connection Transient connection associated with a TLS session, offering reliable and secure data transport: Data integrity (authentication) using HMAC (MD5 or SHA-1). Data confidentiality using an encryption scheme based on a block cipher (e.g., AES, 3DES), RC4 stream cipher, etc. Fast connection setup: new keys computed using the session's (pre-)master secret and connection nonces. Octavian Catrina 9

10 TLS / SSL TLS architecture HTTP, FTP, SMTP, POP3, IMAP4, LDAP, etc. Handshake Protocol Change Cipher Protocol Alert Protocol Record Protocol TCP Record protocol Encapsulates user data, providing data authentication and confidentiality. Encapsulates TLS control messages: Handshake, Change Cipher, Alert. Handshake protocol Session and connection setup. Change Cipher protocol Single message: starting to use new cipher-suite & keys agreed-upon. Alert protocol Error notifications. Octavian Catrina 10

11 TLS Record protocol 1/2 Data processing A user data stream is processed as a sequence of data blocks (fragments) with length up to (about) 2 14 octets. A sequence number is assigned to each fragment. Data processing (outline): Application data Fragment 1 Fragment 2... Fragment n Compress MAC Encrypt Processing per block: Compress (optional). Compute MAC, append MAC and padding. Encrypt all this using a SE scheme. Octavian Catrina 11

12 Records TLS Record protocol 2/2 TLS must determine the sequence of encrypted blocks in the octet stream delivered by TCP, in order to process received data (decryption & MAC). Same problem for control messages. The TLS record format provides the payload encapsulation necessary for this purpose. Record format: Data record processing (details): Record header Record type Protocol version Record length seq_num record header record data (compressed) MAC MAC key Record payload record header record data (compressed) MAC padding User data (compression, MAC, encryption) or TLS control message(s) record header Encrypt Init. Value (IV) Encryption key encrypted & integrity-protected data Octavian Catrina 12

13 TLS Handshake Protocol 1/2 Session setup Cipher-suite negotiation. Key exchange with server and client authentication. Client Example (simplified) Negotiate cipher-suite, exchange random nonces. Server Cipher-suites I suggest. My random nonce R C Session-id. Cipher-suite I choose. My random nonce R S. Certificate for my public-key (PK S ) Choose cipher-suite. Choose pre-master secret S, encrypt it, and send it to server. Compute master secret K = PRF(S, R C, R S ), and derive from K, R C, R S the keys for MAC and encryption. Key exchange. In this example, key transport using RSA encryption and (implicit) server authentication. Our secret E PKS (S). Handshake integrity check (MAC(msgs)) Handshake integrity (MAC(msgs)), proof I know the keys) Data, encrypted and integrity protected with keys derived from K Decrypt pre-master secret S. Compute master secret K = PRF(S, R C, R S ), and derive from K, R C, R S the keys for MAC & encryption. Octavian Catrina 13

14 TLS Handshake Protocol 2/2 Session resumption Handshake that allows to reuse authentication and shared secrets across multiple connections, perform fast re-keying of the current connection (new session secrets using fresh nonces), and to re-negotiate the cipher-suite. Example: Re-keying a connection (simplified) Client Client and server have set up a session identified by session-id and share the session's master key K. Server Session-id. Cipher. New random nonce R' C Derive from K, R' C, R' S new keys for MAC and encryption. Session-id. Cipher. New nonce R' S. Integrity check (MAC(msgs)) Integrity check (MAC(msgs)) Derive from K, R' C, R' S new keys for MAC and encryption. Data, encrypted and integrity protected with keys derived from K Octavian Catrina 14

15 Key exchange methods Ephemeral Diffie-Hellman DHE_RSA, ECDHE_RSA, DHE_DSS, ECDHE_ECDSA. Best method. DH key exchange with one-time DH secrets. Server and (optionally) client authentication using RSA or DSS signatures. Variants for integer groups and elliptic curve groups. RSA encryption The pre-master secret is encrypted with the server s public RSA key. This also authenticates the server. The server can request client authentication using RSA or DSS signature. Pre-shared keys Introduced in RFC 4279, Dec Others Fixed Diffie-Hellman (DH_RSA, DH_DSS). The server has a fixed DH key-pair (with certificate). This also authenticates the server. The server can request client authentication using DH key or using RSA or DSS signature. Kerberos,. Octavian Catrina 15

16 TLS Pseudo-Random Function (PRF) TLS 1.2 (RFC 5246) defines a PRF based on HMAC with the hash function SHA-256. This PRF takes as input a secret, a seed, and an identifying label and produces an output of arbitrary length. Data expansion function: P(key, seed) = HMAC( key, A(1) seed ) HMAC( key, A(2) seed ) HMAC( key, A(3) seed )... where " " denotes concatenation, A(0) = seed A(i) = HMAC( key, A(i-1) ) PRF: PRF(key, label, seed) = P(key, label seed) where "label" is an ASCII string. key seed key seed In HMAC Out In HMAC Out A(1) key seed key 256 bits = 32 bytes In HMAC Out In HMAC Out A(2) key seed key In HMAC Out In HMAC Out A(3) The data expansion function P() is iterated until the required quantity of data is obtained. (e.g., for 80 bytes, P() is iterated 3 times, creating 332 = 96 bytes of data; the last 16 bytes are discarded). - E.g., TLS uses this PRF to generate from a master secret (as key) and random nonces (as seed) the data authentication and data encryption keys for each direction of a TLS connection. Octavian Catrina 16

17 TLS session setup: Overview Client Optional message, depending on AKE variant. Server Negotiate cipher suite, exchange connection nonces. Key exchange (KE) with server and optionally client authentication. Several KE methods. Client and server compute a master secret and then derive data encryption and data authentication keys for each direction. ChangeCipherSpec: Client commits agreed cipher-suite and keys. Next messages are encrypted and authenticated. ClientFinished: MAC with master secret authenticates handshake, confirms key knowledge, etc. ClientHello (suggested cipher-suites, client nonce) ServerHello (chosen cipher-suite, server nonce, session-id) ClientCertificate (client certificate) ClientKeyExchange (key material) ServerCertificate (server certificate) ServerKeyExchange (key material) CertificateRequest (what client certificate) CertificateVerify (proof I know my private key) ChangeCipherSpec ClientFinished(MAC(handshake messages)) ChangeCipherSpec ServerFinished(MAC(handshake messages)) Done. Can start secure data transfer. SeverKeyExchange: Optional, e.g., used with DH variant of AKE. CertificateRequest: Sent if the server wants the client to authenticate itself (with digital signature). ClientCertificate: Sent if the server asks for client authentication. CertificateVerify: Client authenticator (based on digital signature). ChangeCipherSpec: Server commits agreed ciphersuite and keys. Next messages are encrypted and authenticated. ClientFinished: MAC with master secret authenticates handshake, confirms key knowledge, etc. Octavian Catrina 17

18 DH+DSS KE with server authentication 1/2 ClientHello (M1) Version: 3.3 (TLS 1.2) Client ClientNonce: Random[28] + GMT_seconds[4] SuggestedCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,... DSS/DSA = Digital Signature Server Standard/Algorithm Server actions after receiving M1: KS SRV = Server's DSS private (signing) key. KV SRV = Server's DSS public (verification) key. - Select cipher suite. Select the DH domain parameters dh_p, dh_g. - Generate the server's DH parameters: dh_xs and dh_ys = (dh_g) dh_xs mod dh_p. - Construct and send next messages... Client actions after receiving M2: - Validate the server s certificate chain. - Verify signature in M2c, and store server's DH public parameters: dh_p, dh_g, dh_ys. - Generate the client's DH parameters: dh_xc and dh_yc = (dh_g) dh_xc mod dh_p. - Generate pre_master_secret = (dh_ys) dh_xc mod dh_p. - Generate secrets from pre_master_secret: master_secret = PRF(pre_master_secret, "master secret" ClientNonce ServerNonce) key_block = PRF(master_secret, "key expansion" ClientNonce ServerNonce) Take successive bytes from key_block for: client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - Apply client-write parameters to write M3b and all subsequent messages (encrypted and authenticated). ServerHello (M2a) Version 3.3 (TLS 1.2) ServerNonce: Random[28] + GMT_seconds[4] SessionID: 0x945D6F22 ChosenCipherSuite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA ServerCertificateChain (M2b) Subject: AltName= Public Key:... (= DSS KV SRV ) Issuer: DN=Verisign... ServerKeyExchange (M2c) ServerDHParams: dh_p, dh_g, dh_ys DSS_sign(KS SRV, ClientNonce ServerNonce ServerDHParams) ServerHelloDone (M2d) (Client can proceed with next handshake phase) Octavian Catrina 18

19 DH+DSS KE with server authentication 2/2 Client ClientKeyExchange (M3a) ClientDiffieHellmanPublic: dh_yc ChangeCipherSpec (M3b) (Further traffic starting with next message will be protected under agreed cipher suite and keys) ClientFinished (M3c) PRF(master_secret, "client finished", Hash(handshake_msgs)) where handshake_msgs = M1 M2 M3a Server Server actions after receiving M3: - Generate pre_master_secret = (dh_yc) dh_xs mod dh_p. - Generate secrets from pre_master_secret exactly like the client: a master_secret and then client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - Apply client-write parameters to read M3c and all subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M3c (authenticates all handshake messages, confirms that the client knows the keys, etc.). - Apply server-write parameters to write M4b and all subsequent messages (encrypted and authenticated). Client actions after receiving M4: - Apply server-write parameters to read M4b and all subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M4b (authenticates handshake messages, confirms that server knows the keys, etc.). ChangeCipherSpec (M4a) (Further traffic starting with next message will be protected under agreed cipher suite and keys) ServerFinished (M4b) PRF(master_secret, "server finished", Hash(handshake-msgs)) where handshake_msgs = M1 M2 M3a M3c The Hash value in ClientFinished and ServerFinished is computed on the concatenation of previous TLS Handshake protocol messages (without ChangeCipherSpec, alerts, etc.). Octavian Catrina 19

20 RSA KE with mutual authentication 1/2 Client Server ClientHello (M1) Version: 3.3 (TLS 1.2) ClientNonce: Random[28] + GMT_seconds[4] SuggestedCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA, Client actions after receiving M2: - Validate the server s certificate chain. - Generate random pre_master_secret (48 bytes). - Generate secrets from pre_master_secret: - Compute master_secret = PRF(pre_master_secret, "master secret" ClientNonce ServerNonce) key_block = PRF(master_secret, "key expansion" ClientNonce ServerNonce) - Take successive bytes from key_block for: client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - By sending the (optional) CertificateRequest the server asks the client to authenticate using a digital signature. - Construct and send next messages... KE SRV = Server's RSA public (encryption) key. KV CLI = Client's RSA public (verification) key. KS CLI = Client's RSA private (signing) key. Server actions after receiving M1: - Select cipher suite. - Construct and send next messages... ServerHello (M2a) Version 3.3 (TLS 1.2) ServerNonce: Random[28] + GMT_seconds[4] SessionID: 0x35DD84F0 ChosenCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA256 ServerCertificateChain (M2b) Subject: DN=BigBankHomeBkgDiv Public Key:... (RSA KE SRV ) Issuer: DN=BigBank... Subject: DN=BigBank Public Key: 0xD9783BB2208F3... Issuer: DN=Verisign... CertificateRequest (M2c) Type: RSA_signing AcceptableCAs: BigBankHomeBkgDiv ServerHelloDone (M2d) (Client can proceed with next handshake phase) Octavian Catrina 20

21 RSA KE with mutual authentication 2/2 Client Server ClientCertificateChain (M3a) Subject: DN = Alice Public Key:... (RSA KV CLI ) Issuer: DN = BigBankHomeBkgDiv... ClientKeyExchange (M3b) RSA_encrypt(KE SRV, pre_master_secret) CertificateVerify (M3c) RSA_sign(KS CLI, handshake_msgs) where handshake_msgs = M1 M2 M3a M3b ChangeCipherSpec (M3d) (Further traffic starting with next message will be protected using agreed cipher suite and keys) ClientFinished (M3e) PRF(master_secret, "client finished", Hash(handshake_msgs)) where handshake_msgs = M1 M2 M3a M3b M3c Client actions after receiving M4: - Apply server-write parameters to read M4b and all subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M4b (authenticates handshake messages, confirms that server knows the keys, implicitly authenticates the server, etc.). Server actions after receiving M3: - Authenticate the client: Verify the client's certificate chain and the client's signature in M3c. - Decrypt pre_master_secret from M3b. - Generate secrets from pre_master_secret exactly like the client: a master_secret and client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - Apply client-write parameters to read M3e and all the subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M3e (authenticates handshake messages, confirms that client knows they keys, etc.). - Construct and send last messages... ChangeCipherSpec (M4a) (Further traffic starting with next message will be protected using agreed cipher suite and keys) ServerFinished (M4b) PRF(master_secret, "server finished", Hash(handshake_msgs)) where handshake_msgs = M1 M2 M3a M3b M3c M3e Octavian Catrina 21

22 HTTP+TLS and Password authentication Example: Access to an on-line digital library, restricted to subscribers. (1) TLS connection setup Server authentication and confidentiality (2) User authentication User-id and Password transferred using the secured connection Octavian Catrina 22

23 Resuming a session Client E.g., new TLS connection, for other op with same server after setting up a TLS session. Server ClientHello (M1) Version 3.3 ClientNonce: Random[28] + GMT_seconds[4] SuggestedCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA SessionID: 0x945D6F22 (previously established) ChangeCipherSpec (M3a) Server and client update key_block using the session's master_secret and the new nonces. (Further traffic starting with next message will be protected under agreed cipher suite and keys) ServerHello (M2a) Version 3.3 ServerNonce: Random[28] + GMT_seconds[4] SessionID: 0x945D6F22 ChosenCipherSuite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA ChangeCipherSpec (M2b) (Further traffic starting with next message will be protected under agreed cipher suite and keys) ServerFinished (M2c) PRF(master_secret, "server finished, Hash(handshake_msgs)) where handshake_msgs = M1 M2a ClientFinished (M3b) PRF(master_secret, "client finished, Hash(handshake_msgs)) where handshake_msgs = M1 M2a M2c Octavian Catrina 23

Security Protocols and Infrastructures. Winter Term 2010/2011

Security Protocols and Infrastructures. Winter Term 2010/2011 Winter Term 2010/2011 Chapter 4: Transport Layer Security Protocol Contents Overview Record Protocol Cipher Suites in TLS 1.2 Handshaking Protocols Final Discussion 2 Contents Overview Record Protocol

More information

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43 0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link

More information

Security Protocols and Infrastructures. Winter Term 2015/2016

Security Protocols and Infrastructures. Winter Term 2015/2016 Winter Term 2015/2016 Nicolas Buchmann (Harald Baier) Chapter 8: Transport Layer Security Protocol Key Questions Application context of TLS? Which security goals shall be achieved? Approaches? 2 Contents

More information

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2 Universität Hamburg SSL & Company Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Security in TCP/IP UH, FB Inf, SVS, 18-Okt-04 2 SSL/TLS Overview SSL/TLS provides security at TCP layer. Uses

More information

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are

More information

Security Protocols and Infrastructures

Security Protocols and Infrastructures Security Protocols and Infrastructures Dr. Michael Schneider michael.schneider@h-da.de Chapter 8: The Transport Layer Security Protocol (TLS) December 4, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Overview

More information

Chapter 4: Securing TCP connections

Chapter 4: Securing TCP connections Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section

More information

CS 356 Internet Security Protocols. Fall 2013

CS 356 Internet Security Protocols. Fall 2013 CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5

More information

Transport Layer Security

Transport Layer Security CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa

More information

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010 Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange

More information

Transport Level Security

Transport Level Security 2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,

More information

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2. P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and

More information

MTAT Applied Cryptography

MTAT Applied Cryptography MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone

More information

Secure Socket Layer. Security Threat Classifications

Secure Socket Layer. Security Threat Classifications Secure Socket Layer 1 Security Threat Classifications One way to classify Web security threats in terms of the type of the threat: Passive threats Active threats Another way to classify Web security threats

More information

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014 Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption

More information

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec

More information

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel Security Protocols Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 CSE545 - Advanced Network Security - Professor McDaniel 1 Case Study: Host Access The first systems used telnet

More information

Internet security and privacy

Internet security and privacy Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed

More information

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL

More information

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL CS 393 Network Security Nasir Memon Polytechnic University Module 12 SSL Course Logistics HW 4 due today. HW 5 will be posted later today. Due in a week. Group homework. DoD Scholarships? NSF Scholarships?

More information

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to 1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats

More information

E-commerce security: SSL/TLS, SET and others. 4.1

E-commerce security: SSL/TLS, SET and others. 4.1 E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:

More information

Chapter 8 Web Security

Chapter 8 Web Security Chapter 8 Web Security Web security includes three parts: security of server, security of client, and network traffic security between a browser and a server. Security of server and security of client

More information

Chapter 12 Security Protocols of the Transport Layer

Chapter 12 Security Protocols of the Transport Layer Chapter 12 Security Protocols of the Transport Layer Secure Socket Layer (SSL) Transport Layer Security (TLS) Secure Shell (SSH) [NetSec], WS 2009/2010 12.1 Scope of Transport Layer Security Protocols

More information

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X

More information

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec

More information

MTAT Applied Cryptography

MTAT Applied Cryptography MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) University of Tartu Spring 2017 1 / 22 Transport Layer Security TLS is cryptographic protocol that provides communication security over the

More information

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University Chapter 7 WEB Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. Web Security Considerations 2. Secure Socket Layer

More information

SSL Time-Diagram. Second Variant: Generation of an Ephemeral Diffie-Hellman Key

SSL Time-Diagram. Second Variant: Generation of an Ephemeral Diffie-Hellman Key http://www.tech-invite.com SSL Time-Diagram Second Variant: Generation of an Ephemeral Diffie-Hellman Key This document provides a detailed description of the sequence of first exchanges between an SSL

More information

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality

More information

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic

More information

Auth. Key Exchange. Dan Boneh

Auth. Key Exchange. Dan Boneh Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key

More information

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics T-110.5211 Cryptosystems RFC 2246: Transport Layer Security 1.0 IPsec Outline Transport Layer Security (TLS) 1.0 basics TLS 1.0 specification (RFC 2246) walk-through IPSec and (short) comparison of TLS

More information

Chapter 5. Transport Level Security

Chapter 5. Transport Level Security Chapter 5 Transport Level Security Bhargavi H Goswami Assistant Professor Sunshine Group of Institutes Rajkot, Gujarat, India. Email: bhargavigoswami@gmail.com Topic List 1. Web Security Considerations

More information

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited Securing IoT applications with Mbed TLS Hannes Tschofenig Agenda Theory Threats Security services Hands-on with Arm Keil MDK Pre-shared secret-based authentication (covered in webinar #1) TLS Protocol

More information

Cryptography (Overview)

Cryptography (Overview) Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography

More information

TRANSPORT-LEVEL SECURITY

TRANSPORT-LEVEL SECURITY CHAPTER TRANSPORT-LEVEL SECURITY 5.1 Web Security Considerations Web Security Threats Web Traffic Security Approaches 5.2 Secure Socket Layer and Transport Layer Security SSL Architecture SSL Record Protocol

More information

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings) Security Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings) Lecture Outline Network Attacks Attive Attacks Passive Attacks TCP Attacks Contermeasures IPSec SSL/TLS Firewalls

More information

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics T 110.5211 Cryptosystems RFC 2246: Transport Layer Security 1.0 Comparison to IPsec 16.10.2008 Transport Layer Security (TLS) 1.0 basics Kaufman et al: Chapters 18 / 19 Stallings: Chapters 16 / 17.2 T

More information

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by

More information

Coming of Age: A Longitudinal Study of TLS Deployment

Coming of Age: A Longitudinal Study of TLS Deployment Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,

More information

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,

More information

Performance Implications of Security Protocols

Performance Implications of Security Protocols Performance Implications of Security Protocols Varsha Mainkar Technical Staff Member Network Design & Performance Analysis Advanced Technologies, Joint Work with Paul Reeser 5th INFORMS Telecom Conference

More information

Solving HTTP Problems With Code and Protocols NATASHA ROONEY

Solving HTTP Problems With Code and Protocols NATASHA ROONEY Solving HTTP Problems With Code and Protocols NATASHA ROONEY Web HTTP TLS TCP IP 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport

More information

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National

More information

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 5

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 5 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 5 Secure Socket Layer (SSL)/ Transport Layer Security (TLS) Acknowledgments This course

More information

TLS 1.2 Protocol Execution Transcript

TLS 1.2 Protocol Execution Transcript Appendix C TLS 1.2 Protocol Execution Transcript In Section 2.3, we overviewed a relatively simple protocol execution transcript for SSL 3.0. In this appendix, we do something similar for TLS 1.2. Since

More information

Securing IoT applications with Mbed TLS Hannes Tschofenig

Securing IoT applications with Mbed TLS Hannes Tschofenig Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 Munich Agenda For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based

More information

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE Outline 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE 2 Securing Real-time Communications 0 In a real-time protocol, two parties negotiate

More information

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm

More information

L13. Reviews. Rocky K. C. Chang, April 10, 2015

L13. Reviews. Rocky K. C. Chang, April 10, 2015 L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you

More information

COSC4377. Chapter 8 roadmap

COSC4377. Chapter 8 roadmap Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7

More information

Overview of TLS v1.3 What s new, what s removed and what s changed?

Overview of TLS v1.3 What s new, what s removed and what s changed? Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Solution Architect / Principal Design Engineer. On Worldpay ecommerce Payment Gateways. Based in Cambridge, UK.

More information

Internet security and privacy

Internet security and privacy Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create

More information

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

TLS. RFC2246: The TLS Protocol. (c) A. Mariën - TLS RFC2246: The TLS Protocol What does it achieve? Confidentiality and integrity of the communication Server authentication Eventually: client authentication What is does not do Protect the server Protect

More information

Transport Layer Security

Transport Layer Security Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols

More information

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University Chapter 6 IP Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. IP Security Overview 2. IP Security Architecture 3.

More information

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer SharkFest 17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer peter@lekensteyn.nl 1 About me Wireshark contributor since 2013, core developer

More information

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005 Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks

More information

Encryption. INST 346, Section 0201 April 3, 2018

Encryption. INST 346, Section 0201 April 3, 2018 Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:

More information

Attacks on re-keying and renegotiation in Key Exchange Protocols

Attacks on re-keying and renegotiation in Key Exchange Protocols Eidgenössische Technische Hochschule Zürich Ecole polytechnique fédérale de Zurich Politecnico federale di Zurigo Federal Institute of Technology at Zurich Attacks on re-keying and renegotiation in Key

More information

ON THE SECURITY OF TLS RENEGOTIATION

ON THE SECURITY OF TLS RENEGOTIATION ON THE SECURITY OF TLS RENEGOTIATION 2012/11/02 QUT Douglas Stebila European Network of Excellence in Cryptology II (ECRYPT II) Australian Technology Network German Academic Exchange Service (ATN-DAAD)

More information

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security

More information

SSL/TLS. Pehr Söderman Natsak08/DD2495

SSL/TLS. Pehr Söderman Natsak08/DD2495 SSL/TLS Pehr Söderman Pehrs@kth.se Natsak08/DD2495 1 Historical problems No general purpose security wrapper Kerberos doesn't cut it! Each protocol has it's own security layer SNMP, Ktelnet Or none at

More information

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999 Network Working Group Requests for Commments: 2716 Category: Experimental B. Aboba D. Simon Microsoft October 1999 Status of this Memo PPP EAP TLS Authentication Protocol This memo defines an Experimental

More information

Requirements from the. Functional Package for Transport Layer Security (TLS)

Requirements from the. Functional Package for Transport Layer Security (TLS) Requirements from the Functional Package for Transport Layer Security (TLS) Version: 1.0 2018-12-17 National Information Assurance Partnership Revision History Version Date Comment Introduction Purpose.

More information

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect

More information

Sensitive Information in a Wired World

Sensitive Information in a Wired World Sensitive Information in a Wired World CPSC 457/557, Fall 2013 Lecture 11, October 3, 2013 1:00-2:15 pm; AKW 400 http://zoo.cs.yale.edu/classes/cs457/fall13/ Brian A. LaMacchia, used with permission 1

More information

From wired internet to ubiquitous wireless internet

From wired internet to ubiquitous wireless internet WlanSmartcard.org Technical Committee Wireless LAN A primer guide. Paris, February 5 th Pascal.Urien@enst.fr From wired internet to ubiquitous wireless internet 1 Classical intranet. Network access is

More information

The Secure Shell (SSH) Protocol

The Secure Shell (SSH) Protocol The Secure Shell (SSH) Protocol Mario Čagalj University of Split, FESB Introduction What is SSH? SSH is a protocol for secure remote login and other secure network services over an insecure network (RFC

More information

Was ist neu bei TLS 1.3?

Was ist neu bei TLS 1.3? Was ist neu bei TLS 1.3? TSLv1.3 21nd Century Internet Transmission Security Dr. Erwin Hoffmann November, 20th, 2018 1 / 23 Todays Agenda History of TLS and it s cryptographic concepts Working model of

More information

WAP Security. Helsinki University of Technology S Security of Communication Protocols

WAP Security. Helsinki University of Technology S Security of Communication Protocols WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP

More information

Network Encryption 3 4/20/17

Network Encryption 3 4/20/17 The Network Layer Network Encryption 3 CSC362, Information Security most of the security mechanisms we have surveyed were developed for application- specific needs electronic mail: PGP, S/MIME client/server

More information

Information Security CS 526

Information Security CS 526 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric

More information

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,

More information

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013 FIPS 140-2 Compliance of Industry Protocols in 2014 Edward Morris September 25, 2013 Topics Abstract Background DES SP 800-57 SP 800-131 The Protocols IPsec TLS SSH Others Challenges & Recommendations

More information

TLS Extensions Project IMT Network Security Spring 2004

TLS Extensions Project IMT Network Security Spring 2004 TLS Extensions Project IMT4101 - Network Security Spring 2004 Ole Martin Dahl [ole.dahl@hig.no] Torkjel Søndrol [torkjel.soendrol@hig.no] Fredrik Skarderud [fredrik.skarderud@hig.no] Ole Kasper Olsen [ole.olsen@hig.no]

More information

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

More information

Computer Networks II

Computer Networks II Computer Networks II Network Security: Cryptography, IPsec and SSL Giorgio Ventre COMICS LAB Dipartimento di Informatica e Sistemistica Università di Napoli Federico II DISCLAIMER The following slides

More information

TLS1.2 IS DEAD BE READY FOR TLS1.3

TLS1.2 IS DEAD BE READY FOR TLS1.3 TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are

More information

Securely Deploying TLS 1.3. September 2017

Securely Deploying TLS 1.3. September 2017 Securely Deploying TLS 1.3 September 2017 Agenda Why TLS 1.3? Zero Round Trip Time (0-RTT) requests Forward secrecy Resumption key management Why TLS 1.3? Speed TLS impacts latency, not thoroughput Protocol

More information

Kurose & Ross, Chapters (5 th ed.)

Kurose & Ross, Chapters (5 th ed.) Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and

More information

Datasäkerhetsmetoder föreläsning 7

Datasäkerhetsmetoder föreläsning 7 Datasäkerhetsmetoder föreläsning 7 Nyckelhantering Jan-Åke Larsson Cryptography A security tool, not a general solution Cryptography usually converts a communication security problem into a key management

More information

Lecture 10: Communications Security

Lecture 10: Communications Security INF3510 Information Security Lecture 10: Communications Security Nils Gruschka University of Oslo Spring 2018 Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg

More information

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture

More information

CS Computer Networks 1: Authentication

CS Computer Networks 1: Authentication CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores

More information

AIR FORCE INSTITUTE OF TECHNOLOGY

AIR FORCE INSTITUTE OF TECHNOLOGY i DETECTING MAN-IN-THE-MIDDLE ATTACKS AGAINST TRANSPORT LAYER SECURITY CONNECTIONS WITH TIMING ANALYSIS THESIS Lauren M. Wagoner, Civilian, USAF AFIT/GCO/ENG/11-16 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY

More information

Understanding Traffic Decryption

Understanding Traffic Decryption The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. Traffic Decryption Overview, page 1 SSL Handshake

More information

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Photuris and SKIP PHASE 1 IKE PHASE 2 IKE How is SA established? How do parties negotiate

More information

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Data Security and Privacy. Topic 14: Authentication and Key Establishment Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt

More information

Summary on Crypto Primitives and Protocols

Summary on Crypto Primitives and Protocols Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance

More information

Security analysis of DTLS 1.2 implementations

Security analysis of DTLS 1.2 implementations Bachelor thesis Computing Science Radboud University Security analysis of DTLS 1.2 implementations Author: Niels van Drueten s4496604 First supervisor/assessor: dr.ir. Joeri de Ruiter joeri@cs.ru.nl Second

More information

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1 IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service

More information

Lecture: Transport Layer Security (secure Socket Layer)

Lecture: Transport Layer Security (secure Socket Layer) Lecture: Transport Layer Security (secure Socket Layer) Recommended reading: Stephen Thomas, SSS and TLS essentials, Wiley, 2000 Very old and in some parts obsolete, but very well written Lecture s twofold

More information

Chapter 6/8. IP Security

Chapter 6/8. IP Security Chapter 6/8 IP Security Prof. Bhargavi H Goswami Department of MCA, Sunshine Group of Institutes, Rajkot, Gujarat, India. Mob: +918140099018. Email: bhargavigoswami@gmail.com Topic List 1. IP Security

More information

An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS Western University Scholarship@Western Electronic Thesis and Dissertation Repository August 2017 An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS Kristen Dorey The

More information

8. Network Layer Contents

8. Network Layer Contents Contents 1 / 43 * Earlier Work * IETF IP sec Working Group * IP Security Protocol * Security Associations * Authentication Header * Encapsulation Security Payload * Internet Key Management Protocol * Modular

More information

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates The main modes, 0-RTT, and replays Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin,

More information