Was ist neu bei TLS 1.3?
|
|
- Justina Wood
- 5 years ago
- Views:
Transcription
1 Was ist neu bei TLS 1.3? TSLv1.3 21nd Century Internet Transmission Security Dr. Erwin Hoffmann November, 20th, / 23
2 Todays Agenda History of TLS and it s cryptographic concepts Working model of former TLS implementations Changes done for TLS 1.3 OpenSSL under OmniOSce Installation of fehqlibs + ucspi-ssl Protocol analysis using WireShark and testssl TLS 1.3. has been published in RFC 8446 after years of discussion in the IETF in August Since September 2018 OpenSSL is available supporting TLSv1.3. My software ucspi-ssl-0.10 is OpenSSL enabled and used here together with OmniOS (r15028). 2 / 23
3 Internet security protocols Transport Layer Security (TLS) aka Secure Socket Layer (SSL) is a fundamental IT security concept and in particular used for Web encryption (HTTPS) and encrypted transmission (ESMTPS/ESMTP+StartTLS). Message TLS- Records HTTPS IPsec packets MAC frames TLS Bit transmission SSH TCP/UDP IP MAC PHY protected messages protected TLS end-to-end transmission TLS Tunnel Security Association via IPsec MACsec Router function WPA(2) Dark Fiber Wireless MAC PHY SSH User (authenticated) HTTPS Application Instance TLS (authenticated) TCP/UDP Instance (stateful) IP Instance (stateless, stateful) Figure: IT security protocols in a layered view The cryptographic framework and routines are also used for SSH, PGP, IPSec and WiFi (WPA2), though in a different context. 3 / 23
4 Development of cryptographic standards and protocols Message TLS- Records HTTPS IPsec packets MAC frames TLS Bit transmission SSH TCP/UDP IP MAC PHY protected messages protected TLS end-to-end transmission TLS Tunnel Security Association via IPsec MACsec Router function WPA(2) Dark Fiber Wireless MAC PHY SSH User (authenticated) HTTPS Application Instance TLS (authenticated) TCP/UDP Instance (stateful) IP Instance (stateless, stateful) Figure: Cryptographic standards since the Unix epoch 4 / 23
5 The #4 Crypto Primitives Certificate Authority (CA) h: Hash Primitive MD5, SHA, Poly1305 CA s private key σ: Signature Primitive DSA, DSS Symmetrical crypto Asymmetrical crypto Internet!: Key Exchange Primitive RSA, Diffie-Hellman CA s public key Bob s public key C : En/Decryption Primitive Alice Block + Stream ciphers (AES, ChaCha) Bob Bob s private key Figure: The #4 crypto primitives 5 / 23
6 TLS Use Cases SMTP- Client (MUA) TCP SYN a) Internet TLS Handshake 220 hostname EMSTP EHLO client 250-hostname 250-PIPELINING 250-8BITMIME 250-SIZE AUTH LOGIN SMTPS- Server TCPListen Port 465 TLS Tunnel SMTP- Client (MUA) TCP SYN b) Internet 220 hostname EMSTP EHLO client 250-hostname 250-PIPELINING 250-8BITMIME 250-SIZE AUTH LOGIN 250 STARTTLS STARTTLS 220 Ready to start TLS TLS Handshake TLS Tunnel SMTP- Server TCPListen Port 25 Figure: Immediate TLS and delayed TLS encryption; aka STARTTLS / STLS Immediate/mandatory TLS encryption: HTTPS, SMTPS, LDAPS, IMAPS, POP3S, QMTPS Delayed/optional TLS encryption: ESMTP + StartTLS, POP3 + STLS 6 / 23
7 TLS Networking Layering T L S Handshake Heartbeat Change CipherSpec Alert (Type 24) (Type 22) (Type 20) (Type 21) Record Layer Protocol HTTP, SMTP, LDAP,... Application protocol (Type 23) User Datagram Protocol (UDP) Transmission Control Protocol (TCP) Internet Protocol (IP) Figure: TLS protocol layering TLS is located on top of TCP/UDP (layer 4+5) and below the application layer (7). It provides a mini layering. The Record layer can be considered as transmission layer: The workhorse. Handshake, Change Cipher and Alert messages are mostly un-encrypted (using a NULL-encryption). The Application messages are encrypted and protected. The Heartbeat Protocol was added in 2011 with only rough evaluation (and fatal consequences). 7 / 23
8 The #4 Crypto Primitives within TLS < 1.3: The Handshake TLS < 1.3 provides three different ways of handshakes: RSA handshake using static RSA public and private keys (the RSA public key is part of the X.509 certificate). Diffie-Hellman using the Discrete Logarithm algorithm (DHE) while providing ephemeral keys. The DH parameters can be configured and changed frequently. Diffie-Hellman with Elliptic Curve Cryptography (ECDHE). Curves and the DH params (as starting point for the calculation are typically fixed by the implementation. (TLS-)Client TCP segment TCP segment Internet TCP Three Way Handshake ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished secured TLS connection Figure: TLS handshake message exchange (TLS-)Server TCP segment = IP packet TCP segment 8 / 23
9 The #4 Crypto Primitives within TLS < 1.3: Encryption TLS as the successor of SSL supports different sets of symmetrical de/encryption: Block ciphers: 64 bit key-length DES 128 bit key-length 3DES 128, 256, 384, 512 bit key-length AES The Block Ciphers are often used in streaming mode : CBC, OFB, GCM. Stream ciphers: bit key-length RC4 ChaCha20 (with TLS 1.2) Steps: Input data Encryptionalgorithm/ implementation Operations mode Feistel Chiffres (DES, 3DES, Lucifer, TEA) Block Cipher fixed key Rijndael Chiffres (AES, Blowfish, Serpant, Idea) Symmetrical En-/De-cryption common secret key Cipher stream (RC4, A5/1+A5/2) Stream Cipher ECB CBC CFB GCM S-Box LFSR NFSR + IV pseudo-random key Cipher stream generation One Time Pad Figure: TLS symmetric encryption 9 / 23
10 The #4 Crypto Primitives within TLS < 1.3: Integrity Check TLS (1.2) uses a keyword authenticated hash to provide authenticity and integrity for the data: Message Authentication Code (keyed MAC). Since TLS employs both stream and block encryption, hashing is done per TLS record prior of encryption: MAC-then-encrypt (MtE). RL Header Protocol = encrypted (optional) Message(s) Length (2 Byte) Version (2 Byte) Protocol (1 Byte) Hashvalue MAC MP PL Padding (optional) Data of the application protocol Segment Compression MAC calculation Encryption 20: ChangeCipherSpec Protocol Record Layer 21: Alert Protocol Header 22: Handshake Protocol 23: Application Protocol (HTTP,.) 24: Heartbeat Protocol (DTLS; maybe also TLS) Figure: Checking the integrity of transmitted data Segment Record Layer Frame Segment Auth key MAC Session key (+IV) 10 / 23
11 The #4 Crypto Primitives within TLS < 1.3: Cipher Suites Crypto primitives used for the current session are provided as Cipher Suite. The TLS protocol enumerates the sets fo crypto primitives. KeyExchange+Authentication Encryption+Operational mode MAC TLS _ RSA DH/DHE ECDH Anonymous DH RSA RSA (Export) DSA DSS ECDSA Figure: TLS Cipher Suites [RFC 3268] Null *RC4(_40/_56/_128) DES(_40/_56) 3DES_EDE(3) AES(_128/_256/_512) RC2(_128/_256) SEED CAMILLA ECB(default) CBC GCM *) Stream cipher; all others: Block ciphers Null MD5 SHA(1) SHA256 SHA384 CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F }; CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 }; CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 }; CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 }; CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 }; CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA = { 0x00, 0x34 }; CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 }; CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x36 }; CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x37 }; CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA = { 0x00, 0x38 }; CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x39 }; CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA = { 0x00, 0x3A }; 11 / 23
12 TLS < 1.3: Keymaterial and Keys TLS uses a variety of hash functions to derive deterministically the PreMasterSecret and the Session keys from the input material. Hash functions are used to diffuse the input and thus pseudo random sequences with significant entropy are the result. This is called a Pseudo Random Function PRF. 'A' PreMasterSecret ServerRandom ClientRandom SHA Hash Hash Hash Hash Hash Hash } } } PreMasterSecret Hash MD5 MAC Secret Session Secret IV 'BB' PreMasterSecret ServerRandom ClientRandom SHA Client Server Client Server Client Server 'CCC' PreMasterSecret ServerRandom ClientRandom PreMasterSecret Hash SHA MD5 Initialisation vector IV: a) For Stream ciphers - or - b) for CBC/GCM operation mode PreMasterSecret Hash MD5 Figure: Generating the PreMaster and the Session secrets Hash Hash Hash 3 * 128 bit Given RSA encryption, the only random number is the client s random provided during the handshake. For Diffie-Hellman, client and server deliver a random value. 12 / 23
13 TLS < 1.3: Weaknesses Backward compatibility with ancient SSL 2.0 (older versions): Renegotiation. Export ciphers suited for NSA de-cryption. Control messages (Alerts, CCS) transmitted in clear text. No particular state model, thus attacker can interrogate at any point. Some Cipher suites (in particular with CBC) are weak or even bad. Very little control on negotiated Cipher suites (mod_ssl). Handshake is slow. Session Resumption with persistent data. Handshake can be broken up (MitM). MtE delivery valuable information for a hacker given its data decryption. TLS (as successor of SSL) is broken by design; it is just working and deployed... everywhere. 13 / 23
14 TLS 1.3 Summary After years of discussion, the IETF released TLS 1.3 in RFC 8446 (and RFC The TLS 1.3 core is a complete redesign. Compatibility with older TLS version is provided supporting its skeleton behaviour and faking a TLS 1.2 handshake. As already used in previous TLS releases, TLS 1.3 uses the Hello Message to transport the new parameters. ECDHE key exchange is mandatory and the only one! TLS uses only a very restricted set of Cipher Suites. Those Ciphers Suites (apart from AES and GCM) are mainly based on Dan Bernstein s developments. TLS 1.3 protects the negotiated data as soon as it is possible during the handshake. Early Application Data can be transmitted in the handshake. The handshake in TLS 1.3 is much more efficient and using Session Resumption provides a 0RTT capability. Though trying to cope with older TLS versions, TLS 1.3 is a different beast. Some Middleboxes don t allow to let the TLS 1.3 traffic through, since it does not look like as expected. 14 / 23
15 TLS 1.3 Handshake The TLS 1.3 is much more efficient using an early encryption scheme. Key Exchange Authentication a) (TLS) Client Internet TCP Session established Message 1 ClientHello Version = 3.3, Random, Nonce, Cipher Suites, C = 0, Extensions: x304, ALPN ServerHello 2a Version = 3.3, Random, SessionID, Cipher Suite, C = 0, Extensions: x304, ADP Certificate Certificate Verify (signature TH) Finished (HKDF/Handshake) Verifies Certificate Generates Master & Session keys Message 3 Finished (HKDF/Handshake) TLS Connection Application key HKDF(shared secret, c/s app traffic,th) (TLS) Client Internet (TLS) Server TCP Session established Message 1 ClientHello Version = 3.3, Random, Nonce, Cipher Suites, C = 0, Extensions: x304, ALPN Generates Master & Session keys 2b 2c 2d b) Traffic key HKDF(shared secret, s/c hs traffic,th) 3a 3b 3c Certificate Certificate Verify (signature TH) Finished (HKDF/Handshake) TLS Connection (TLS) Server encrypted ServerHello 2a Version = 3.3, Random, SessionID, Cipher Suite, C = 0, Extensions: x304, ADP Certificate Request 2b Certificate 2c Certificate Verify (signature TH) 2d Finished (HKDF/Handshake) 2e encrypted Figure: TLS 1.3 Handshake; (a) without and (b) with Client Certificate Request; ALPN: Application Layer Protocol Notifications Only three messages are exchanged: Client Server The (unencrypted) Client Hello message. Server Client The Server Hello message: The first part including protocol artefacts in clear text; the further parts are encrypted with a provisional secret (Traffic Key) covering in particular the X.509 cert. Client Server The encrypted Finish message, telling that the Application Key is ready for use. 15 / 23
16 TLS 1.3 Cipher Suites KeyExchange+Authentication Encryption+Operational mode MAC TLS _ ECDHE secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), x25519(0x001d), x448(0x001e) Figure: TLS 1.3 Cipher Suites Null AES_128_GCM_SHA256 AES_256_GCM_SHA384 CHACHA20_POLY1305_SHA256 AES_128_CCM_SHA256 AES_128_CCM_8_SHA256 CipherSuite TLS_AES_128_GCM_SHA256 {0x13,0x01} CipherSuite TLS_AES_256_GCM_SHA384 {0x13,0x02} CipherSuite TLS_CHACHA20_POLY1305_SHA256 {0x13,0x03} CipherSuite TLS_AES_128_CCM_SHA256 {0x13,0x04} CipherSuite TLS_AES_128_CCM_8_SHA256 {0x13,0x05} SHA-256 SHA-384 Note: CCM = Cipher Block Chaining - Message Authentication Code (CBC-MAC) No particular Authentication method is indicated. Apart from PSK all Transcript Messages are authenticated requiring a valid server X.509 certificate. openssl ecparam -list_curves 16 / 23
17 TLS 1.3 Record Layer c) Length (2 Byte) Hashvalue Version (2 Byte) Content type (1 Byte) Content type Padding length (1 Byte) Message(s) Length (2 Byte) Version = x 303 Content type (1 Byte) Padding (optional) Zero Padding optional a) RL- Header encrypted (optional) b) Application data Message(s) MAC MP PL Segment Segment Segment Compression MACcalculation Encryption Record Layer Header Record Layer Frame HMAC d) Segment AEAD encryption Record Layer Header Application data Segment Record Layer Frame Figure: TLS 1.3 a) Record layer structure w and c) w/o MAC, b) Record with MAC, d) Record with AEAD Segment Secret Nonce Additional data 17 / 23
18 PSK 0 nonedeterministic 0 HKDF-Extr. Early Secret Early Secret, derive, Derived Secret Early Secret, ext binder res binder, binder key (Label) TLS 1.3 Keys stateful key usage Early Secret, c e traffic, TSH(ClientHello) Client Early Traffic Secret Pre Shared Keys Early Secret, e exp master, TSH(ClientHello) Early Exporter Master Secret iterative key generation (EC) DHE Secret 0 HKDF-Extr. Handshake Secret Handshake Secret, derive, Derived Secret HKDF-Extr. Master Secret Key Generation Pipeline Handshake Secret, c hs traffic, TSH(HelloMessages) Client Traffic Handshake Secret Master Secret, c ap traffic, TSH(HelloMessages) Handshake/Key Exchange Handshake Secret, s hs traffic, TSH(HelloMessages) Server Traffic Handshake Secret Traffic En/Decryption Master Secret, s ap traffic, TSH(HelloMessages) PRF Exporter Master Secret, exp master, TSH(HelloMessags) Session Resumption Master Secret, res master, TSH(HelloMessages) Client Application Traffic Secret_0 Server Application Traffic Secret_0 Exporter Master Secret Resumption Master Secret Figure: TLS 1.3 Key generating procedure using HKDF 18 / 23
19 TLS 1.3 PSK & 0RTT and Grease Session Resumption is possible within TLS 1.3 provided, both client and server store the negotiated secret (persistently): Pre-shared Keys (PSK). The PSK secret is indicated in the Client Hello message providing a hash of the PSK and coupled with the identity of the client. In this case, a TLS session can literally succeed in one step, thus 0-RTT. However, this breaks Perfect Forward Secrecy (PFS) Grease: Generate Random Extensions And Sustain Extensibility can applied by client or server to test the counterparts TLS 1.3 capabilities indicating invalid Cipher Suites in the Hello message. (TLS) Client Message 1 3 Stores PSK-Label & Session keys Internet TCP Session established ClientHello Versions= 3.3, Random, Nonce, Cipher Suites, Compression = 0 Supported Vers: x304 Grease Supported Groups: x25519, secp256r1, Key Share Entry: Grease Key Share Entry: x25519 cd34bb1ac39. ServerHelloRetry Version = 3.3, Random, SessionID, Cipher Suite, Compression = 0 Supported Vers: Key Share Hello Retry Request: x25519 Finished (HKDF/Handshake) TLS Connection Extensions New Session Ticket Ticket Lifetime, Ticket Age Ticket Nonce, Ticket., Extensions (TLS) Server 2 matching k Figure: TLS 1.3 using Pre-shared Keys 19 / 23
20 TLS 1.3 1RTT Session establishment can be accelerated in case both client and server don t need to negotiate the Cipher, but rather provide a quick focus: 1-RTT. In this case, the client indicates to the server to know already the (otherwise transmitted) DH-Params and the chosen curve (for ECC) for a quick negotiation. However, the server may have changed its DH-Params, thus this procedure would not work out. Rather, in this case, the server sends a Hello Retry message telling the new DH- Params. This procedure obviously does not violate PFS, since only protocol artefacts are provided by the client. (TLS) Client 1a Message Internet TCP Session established ClientHello Versions= 3.3, Random, Nonce, Cipher Suites, Compression = 0 Key Share Entry: x25519 cd34bb1ac39. PSK Kex Exchange Modes: psk_dhe_ke PSK Identity: identity, obfuscated ticket age PSK Binder: HMACs Offered PSK: identity, binders 1b Early Data (23) ServerHelloRetry 2a Extensions Version = 3.3, Random, SessionID, Cipher Suite, Compression = 0 Supported Vers: Key Share Entry: x25519 Key Exchange: ef1bc93.. Application Data (23) 2b (TLS) Server Figure: TLS 1.3 using 1-RTT message exchange matching 20 / 23
21 Crypto Primitives TLS < 1.3 Hands on Bibliography Commercial spot AUTOREN anatol BADACH erwin HOFFMANN Technik der HEADLINE History IP-NETZE 4. Auflage INTERNET-KOMMUNIKATION IN THEORIE UND EINSATZ Inklusive: Kapitel zum Internet of Things Figure: Technik der IP-Netze (4th edition) 21 / 23
22 Implementation OpenSSL 1.1.0: Install OpenSSL on OmniOSce however without overwriting previous Libs. How to tell which OpenSSL is installed? fehqlibs + ucspi-ssl: Install fehqlibs (under /usr/local). Install ucspi-ssl using fehqlibs and OpenSSL How can you tell that OpenSSL is in use for a client/server? testssl: Install Dirk Wetter s ssltest from Test TLS 1.3. for some sites (including Google and fehcom). WireShark: Install WireShark (> 2.5). Record a TLS 1.3 connection setup and do an interpretation of the negotiation. 22 / 23
23 Bibliography RFC 8446 RFC / 23
MTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone
More informationTransport Layer Security
Cryptography and Security in Communication Networks Transport Layer Security ETTI - Master - Advanced Wireless Telecommunications Secure channels Secure data delivery on insecure networks Create a secure
More informationComing of Age: A Longitudinal Study of TLS Deployment
Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,
More informationHistory. TLS 1.3 Draft 26 Supported in TMOS v14.0.0
PRESENTED BY: History SSL developed by Netscape SSLv1.0 Never released SSLv2.0 1995 SSLv3.0 1996 Moved governance to the IETF and renamed TLS TLSv1.0 1999 TLSv1.1 2006 TLSv1.2 2008 TLSv1.3 2018 TLS 1.3
More informationTLS 1.2 Protocol Execution Transcript
Appendix C TLS 1.2 Protocol Execution Transcript In Section 2.3, we overviewed a relatively simple protocol execution transcript for SSL 3.0. In this appendix, we do something similar for TLS 1.2. Since
More informationChapter 4: Securing TCP connections
Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section
More informationIPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43
0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link
More informationInternet security and privacy
Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed
More informationOverview of TLS v1.3 What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Solution Architect / Principal Design Engineer. On Worldpay ecommerce Payment Gateways. Based in Cambridge, UK.
More informationSharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer
SharkFest 17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer peter@lekensteyn.nl 1 About me Wireshark contributor since 2013, core developer
More informationTransport Layer Security
CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) University of Tartu Spring 2017 1 / 22 Transport Layer Security TLS is cryptographic protocol that provides communication security over the
More informationOverview of TLS v1.3. What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a
More informationSecuring IoT applications with Mbed TLS Hannes Tschofenig
Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 Munich Agenda For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based
More informationUnderstand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS
Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic
More informationSecuring IoT applications with Mbed TLS Hannes Tschofenig Arm Limited
Securing IoT applications with Mbed TLS Hannes Tschofenig Agenda Theory Threats Security services Hands-on with Arm Keil MDK Pre-shared secret-based authentication (covered in webinar #1) TLS Protocol
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationSecurely Deploying TLS 1.3. September 2017
Securely Deploying TLS 1.3 September 2017 Agenda Why TLS 1.3? Zero Round Trip Time (0-RTT) requests Forward secrecy Resumption key management Why TLS 1.3? Speed TLS impacts latency, not thoroughput Protocol
More informationSecurity Protocols and Infrastructures. Winter Term 2015/2016
Winter Term 2015/2016 Nicolas Buchmann (Harald Baier) Chapter 8: Transport Layer Security Protocol Key Questions Application context of TLS? Which security goals shall be achieved? Approaches? 2 Contents
More informationSecurity Protocols and Infrastructures. Winter Term 2010/2011
Winter Term 2010/2011 Chapter 4: Transport Layer Security Protocol Contents Overview Record Protocol Cipher Suites in TLS 1.2 Handshaking Protocols Final Discussion 2 Contents Overview Record Protocol
More informationSolving HTTP Problems With Code and Protocols NATASHA ROONEY
Solving HTTP Problems With Code and Protocols NATASHA ROONEY Web HTTP TLS TCP IP 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport
More informationSecurity Protocols and Infrastructures
Security Protocols and Infrastructures Dr. Michael Schneider michael.schneider@h-da.de Chapter 8: The Transport Layer Security Protocol (TLS) December 4, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Overview
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationState of TLS usage current and future. Dave Thompson
State of TLS usage current and future Dave Thompson TLS Client/Server surveys Balancing backward compatibility with security. As new vulnerabilities are discovered, when can we shutdown less secure TLS
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014
Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption
More informationUniversität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2
Universität Hamburg SSL & Company Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Security in TCP/IP UH, FB Inf, SVS, 18-Okt-04 2 SSL/TLS Overview SSL/TLS provides security at TCP layer. Uses
More informationTLS1.2 IS DEAD BE READY FOR TLS1.3
TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are
More informationCryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption
and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X
More informationChapter 8 Web Security
Chapter 8 Web Security Web security includes three parts: security of server, security of client, and network traffic security between a browser and a server. Security of server and security of client
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationRequirements from the. Functional Package for Transport Layer Security (TLS)
Requirements from the Functional Package for Transport Layer Security (TLS) Version: 1.0 2018-12-17 National Information Assurance Partnership Revision History Version Date Comment Introduction Purpose.
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationTransport Layer Security
Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols
More informationSecurity Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel
Security Protocols Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 CSE545 - Advanced Network Security - Professor McDaniel 1 Case Study: Host Access The first systems used telnet
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange
More informationCS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL
CS 393 Network Security Nasir Memon Polytechnic University Module 12 SSL Course Logistics HW 4 due today. HW 5 will be posted later today. Due in a week. Group homework. DoD Scholarships? NSF Scholarships?
More informationSecure Socket Layer. Security Threat Classifications
Secure Socket Layer 1 Security Threat Classifications One way to classify Web security threats in terms of the type of the threat: Passive threats Active threats Another way to classify Web security threats
More informationOne Year of SSL Internet Measurement ACSAC 2012
One Year of SSL Internet Measurement ACSAC 2012 Olivier Levillain, Arnaud Ébalard, Benjamin Morin and Hervé Debar ANSSI / Télécom SudParis December 5th 2012 Outline 1 SSL/TLS: a brief tour 2 Methodology
More informationInternet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho
Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality
More informationE-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationTLS 1.1 Security fixes and TLS extensions RFC4346
F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security
More informationAuthenticated Encryption in TLS
Authenticated Encryption in TLS Same modelling & verification approach concrete security: each lossy step documented by a game and a reduction (or an assumption) on paper Standardized complications - multiple
More informationIBM Education Assistance for z/os V2R1
IBM Education Assistance for z/os V2R1 Items: TLS V1.2 Suite B RFC 5280 Certificate Validation Element/Component: Cryptographic Services - System SSL Material is current as of June 2013 Agenda Trademarks
More informationAbout FIPS, NGE, and AnyConnect
About FIPS, NGE, and AnyConnect, on page 1 Configure FIPS for the AnyConnect Core VPN Client, on page 4 Configure FIPS for the Network Access Manager, on page 5 About FIPS, NGE, and AnyConnect AnyConnect
More informationSystematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky
Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 1 Transport Layer Security The most important crypto protocol HTTP, SMTP, IMAP 2 2 Secure Sockets Layer (SSL), SSLv2 SSLv3 Trasnsport
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationFUJITSU Software BS2000 internet Services. Version 3.4A May Readme
FUJITSU Software BS2000 internet Services Version 3.4A May 2016 Readme All rights reserved, including intellectual property rights. Technical data subject to modifications and delivery subject to availability.
More informationON THE SECURITY OF TLS RENEGOTIATION
ON THE SECURITY OF TLS RENEGOTIATION 2012/11/02 QUT Douglas Stebila European Network of Excellence in Cryptology II (ECRYPT II) Australian Technology Network German Academic Exchange Service (ATN-DAAD)
More informationLet's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX
Let's Encrypt - Free SSL certificates for the masses Pete Helgren Bible Study Fellowship International San Antonio, TX Agenda Overview of data security Encoding and Encryption SSL and TLS Certficate options
More informationChapter 12 Security Protocols of the Transport Layer
Chapter 12 Security Protocols of the Transport Layer Secure Socket Layer (SSL) Transport Layer Security (TLS) Secure Shell (SSH) [NetSec], WS 2009/2010 12.1 Scope of Transport Layer Security Protocols
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate
More informationDesigning Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015
Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015 What Could It Cost You? Average of $0.58 a record According to the Verizon
More informationLehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec
Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL
More informationTLS Security and Future
TLS Security and Future Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Fixing issues in practice Trust, Checking certificates and
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationIntroduction to cryptology (GBIN8U16) Introduction
Introduction to cryptology (GBIN8U16) Introduction Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 24 Introduction 2018 01 24 1/27 First
More informationSecurity analysis of DTLS 1.2 implementations
Bachelor thesis Computing Science Radboud University Security analysis of DTLS 1.2 implementations Author: Niels van Drueten s4496604 First supervisor/assessor: dr.ir. Joeri de Ruiter joeri@cs.ru.nl Second
More informationPerformance Implications of Security Protocols
Performance Implications of Security Protocols Varsha Mainkar Technical Staff Member Network Design & Performance Analysis Advanced Technologies, Joint Work with Paul Reeser 5th INFORMS Telecom Conference
More informationCONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements
CONTENTS Preface Acknowledgements xiii xvii Chapter 1 TCP/IP Overview 1 1.1 Some History 2 1.2 TCP/IP Protocol Architecture 4 1.2.1 Data-link Layer 4 1.2.2 Network Layer 5 1.2.2.1 Internet Protocol 5 IPv4
More informationSharkFest 17 Europe. 20 QUIC Dissection. Using Wireshark to Understand QUIC Quickly. Megumi Takeshita. ikeriri network service
SharkFest 17 Europe 20 QUIC Dissection Using Wireshark to Understand QUIC Quickly ParkSuite Classroom 11 November 2017 11:15am-12:30pm Megumi Takeshita ikeriri network service supplimental files http://www.ikeriri.ne.jp/sharkfest
More informationInternet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)
Internet Engineering Task Force (IETF) M. Salter Request for Comments: 6460 National Security Agency Obsoletes: 5430 R. Housley Category: Informational Vigil Security ISSN: 2070-1721 January 2012 Abstract
More informationTLS Extensions Project IMT Network Security Spring 2004
TLS Extensions Project IMT4101 - Network Security Spring 2004 Ole Martin Dahl [ole.dahl@hig.no] Torkjel Søndrol [torkjel.soendrol@hig.no] Fredrik Skarderud [fredrik.skarderud@hig.no] Ole Kasper Olsen [ole.olsen@hig.no]
More informationUnderstanding Traffic Decryption
The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. Traffic Decryption Overview, page 1 SSL Handshake
More informationCipher Suite Practices and Pitfalls:
Cipher Suite Practices and Pitfalls: An Overview of Cipher Suite Configuration and Pitfalls on BIG-IP PRESENTED BY: A cipher suite is a named combination of authentication, encryption, message authentication
More informationOutline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE
Outline 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE 2 Securing Real-time Communications 0 In a real-time protocol, two parties negotiate
More informationTotal No. of Questions : 09 ] [ Total No.of Pages : 02
CS / IT 321 (CR) Total No. of Questions : 09 ] [ Total No.of Pages : 02 III/IV B. TECH. DEGREE EXAMINATIONS, OCT / NOV - 2015 Second Semester COMPUTER SCIENCE & ENGINEERING NETWK SECURITY Time : Three
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationCS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD
ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas
More informationPROTECTING CONVERSATIONS
PROTECTING CONVERSATIONS Basics of Encrypted Network Communications Naïve Conversations Captured messages could be read by anyone Cannot be sure who sent the message you are reading Basic Definitions Authentication
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationOpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12
OpenSSH ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) http://www.csrrt.org/ 24th February 2006 1 / 12 SSH - History 1995 Tatu Ylonen releases ssh-1.0.0 (Forms SSH Communications
More informationPerfect forward not so secrecy
Perfect forward not so secrecy By: Joey Dreijer and Sean Rijs December 16, 2013 Final version Abstract Perfect Forward Secrecy (PFS) is a technique that gives each session a new key and removes it when
More informationIPSec Transform Set Configuration Mode Commands
IPSec Transform Set Configuration Mode Commands The IPSec Transform Set Configuration Mode is used to configure IPSec security parameters. There are two core protocols, the Authentication Header (AH) and
More informationCryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography
Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationBIG-IP System: SSL Administration. Version
BIG-IP System: SSL Administration Version 13.0.0 Table of Contents Table of Contents About SSL Administration on the BIG-IP System...7 About SSL administration on the BIG-IP system... 7 Device Certificate
More informationSankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank
Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology Question Bank Subject: Information Security (160702) Class: BE Sem. VI (CE/IT) Unit-1: Conventional
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationCOSC4377. Chapter 8 roadmap
Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7
More informationTLS/sRTP Voice Recording AddPac Technology
Secure IP Telephony Solution (TLS/SRTP Protocol) TLS/sRTP Voice Recording AddPac Technology 2015, Sales and Marketing www.addpac.com Contents Secure IP Telephony Service Diagram Secure VoIP Protocol &
More informationLecture 10: Communications Security
INF3510 Information Security Lecture 10: Communications Security Nils Gruschka University of Oslo Spring 2018 Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationFindings for
Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp
More informationNIST Cryptographic Toolkit
Cryptographic Toolkit Elaine Barker ebarker@nist.gov National InformationSystem Security Conference October 16, 2000 Toolkit Purpose The Cryptographic Toolkit will provide Federal agencies, and others
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationThe Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.
The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0 Xirrus, Inc. March 8, 2011 Copyright Xirrus, Inc. 2011. May be reproduced only in its original entirety [without revision]. Page 1 TABLE
More informationSSL Report: ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 14: Folklore, Course summary, Exam requirements Ion Petre Department of IT, Åbo Akademi University 1 Folklore on
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More information