Transport Layer Security

Transcription

1 CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University

2 Web Security Considerations Web is client/server application over Internet Internet is 2-way, unlike traditional publishing Many businesses depend on web Underlying software is very complex browsers, web servers easy to use, configure however, software hide many security flaws Attack on web servers can harm other computers within organization Many users don t know enough to handle risks 2

3 Web Security Threats 3

4 Web Security Approaches IPSec Transparent to applications General purpose Filtering capability SSL/TLS Part of protocol, thus, transparent to applications or embedded into packages (e.g. browsers) Kerberos, S/MIME/PGP Embedded into packages Can be tailored to specific application needs 4

5 Secure Socket Layer (SSL) Originated by Netscape (SSLv3) Transport Layer Security developed by IETF TLS = SSLv3.1, backward compatible v3 Discussion is mainly for SSLv3 5

6 SSL Architecture Designed to work with TCP Provide end-to-end reliable service Two layers of protocols SSL record protocol provide services to upper protocols SSL Handshake, Change Cipher Spec, Alert used in management of SSL exchanges HTTP can operate on top of SSL 6

7 SSL Architecture 7

8 SSL Connections and Sessions Connection peer-to-peer relationship, transport layer transient associated with one session Session association between client, server created by Handshake Protocol define set of cryptographic security parameters parameters shared by multiple connections avoid negotiating new parameters/connection 8

9 Session State Parameters Session identifier Peer certificate X.509v3 certificate of the peer Compression method Cipher spec encryption algorithm (e.g. AES), hash (MD5) Master secret key shared between client, server Is resumable 9

10 Connection State Parameters Server and client random Server MAC secret Client MAC secret Server write key Client write key Initialization vector IV used with CBC mode Sequence numbers secret keys used in MAC operations secret encryption keys 10

11 SSL Record Protocol Provides two services to SSL connections confidentiality: encryption of SSL payloads message integrity: using MAC Steps fragmentation: to blocks of 2 14 bytes compression: optional MAC: of compressed data, secret key used encryption: symmetric block or stream cipher prepending header 11

12 SSL Record Protocol 12

13 SSL Record Format header 13

14 SSL Record Protocol Payload 14

15 Change Cipher Spec Protocol Consists of single message change_cipher_spec single byte, value = 1 Cause pending state to be copied to current updates cipher suite to be used on connection 15

16 Alert Protocol Convey SSL related alerts to peer entity Alert messages compressed, encrypted Consists of 2 bytes First byte take values warning (1), fatal (2) Fatal SSL terminates connection other connections in same session continue no new connections allowed Second byte contains code of specific alert 16

17 Handshake Protocol Most complex part of SSL Allows server and client to authenticate each other negotiate algorithms, keys used (crypt, MAC) Used before any application data transmitted Consists of 4 phases 17

18 18

19 Phase 1: Establish Security Capabilities Initiate logical connection Establish associated security capabilities client_hello message version: highest supported SSL version CipherSuite: list of supported crypt algorithms in decreasing order of preference server_hello message version: highest supported by both client, server CipherSuite: selected suite from proposed list 19

20 Phase 2: Server Authentication and Key Exchange certificate message server sends its X.509 certificate or chain certificate_key_exchange message parameters for key exchange required by some algorithms (no shared key) certificate_request message list of acceptable certificate authorities server_done message indicate end of server hello messages 20

21 Phase 3: Client Authentication and Key Exchange Client verifies server certificate is valid Check that parameters are acceptable certificate_message sent if server requested certificate client_key_exchange message parameters for key exchange certificate_verify message optional, for some certificate types 21

22 Phase 4: Finish Completes setting up secure connection change_cipher_spec message sent using Change Cipher Spec protocol finished message sent with established algorithms, keys verifies key exchange, auth were successful 22

23 TLS Differences From SSL Version number MAC algorithm and scope of calculation Pseudorandom function Alert codes: one unsupported, many added Client certificate types: some unsupported Hash calculation for messages certificate_verify finished 23

24 HTTPS HTTP over SSL/TLS Secure comm between web server and browser Supported by all modern web browsers Use depends on web server 24

25 HTTPS 25

26 HTTPS 26

27 Encrypted Elements URL of requested document Contents of the document Contents of browser filled forms Cookies (both sides) HTTP headers 27

28 Secure Shell (SSH) Protocol for secure network communications Relatively simple and inexpensive Initially focused on remote login (TELNET) Later: general client/server capability file transfer X tunneling One of most pervasive encryption applications 28

29 Secure Shell (SSH) 29

30 SSH Protocols 30

31 Transport Layer Protocol (TLP) Server uses public key for authentication Server host key used during key exchange Client must know server s public key local database [hostname : key] no centrally administered infrastructure database can be large central CA: client only knows CA root key simpler maintenance host key must be centrally certified 31

32 Packet Exchanges Supported algorithms for key exchange encryption MAC compression see Table 16.3 Uses Diffie-Hellman Why use key exchange when we have public key? 32

33 Packet Formation compression decided during...? why padding? initialized to 0 incremented for each packet MAC not encrypted 33

34 User Authentication Protocol Authentication methods publickey C S: E(PRC, M).. where M contains PUC S checks PUC is acceptable, then verifies signature password plaintext password (protected by TLP encryption) hostbased SSH server verifies client s host believes host when it authenticates user 34

35 Connection Protocol Runs on top of SSH Transport Layer Protocol Assume secure auth connection (tunnel) in use Tunnel multiplex multiple logical channels Channel used for each type of communication e.g. terminal session flow controlled using window mechanism 35

36 Connection Protocol 36

37 Channel Types session remote execution of a program program: shell, file transfer, , x11 app run at server but displayed at client desktop forwarded-tcpip remote port forwarding direct-tcpip local port forwarding 37

38 Port Forwarding One of the most useful features of SSH Ability to secure any insecure TCP connection Also known as SSH Tunnel Two types local forwarding remote forwarding 38

39 Local Forwarding Source: 39

40 Remote Forwarding Source: 40

41 Additional References About SSL/TLS SSL/TLS Protocol overview Implementing Web Site Client Authentication Using Digital IDs Secure Sockets Layer (SSL) Protocol SSH Public-Key Authentication HOWTO Supported SSH channel types SSH Port Forwarding Local VS Remote 41