Internet security and privacy

Similar documents
CSCE 715: Network Systems Security

Transport Layer Security

Chapter 4: Securing TCP connections

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Transport Level Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Transport Layer Security

Cryptography (Overview)

MTAT Applied Cryptography

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

SSL/TLS. Pehr Söderman Natsak08/DD2495

Coming of Age: A Longitudinal Study of TLS Deployment

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Auth. Key Exchange. Dan Boneh

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

CS 356 Internet Security Protocols. Fall 2013

Security Protocols and Infrastructures. Winter Term 2010/2011

Overview. SSL Cryptography Overview CHAPTER 1

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Internet security and privacy

Information Security CS 526

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Crypto meets Web Security: Certificates and SSL/TLS

Data Security and Privacy. Topic 14: Authentication and Key Establishment

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

WAP Security. Helsinki University of Technology S Security of Communication Protocols

E-commerce security: SSL/TLS, SET and others. 4.1

Security Protocols and Infrastructures. Winter Term 2015/2016

MTAT Applied Cryptography

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Securing IoT applications with Mbed TLS Hannes Tschofenig

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

Datasäkerhetsmetoder föreläsning 7

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Performance Implications of Security Protocols

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Practical Issues with TLS Client Certificate Authentication

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

One Year of SSL Internet Measurement ACSAC 2012

Secure Socket Layer. Security Threat Classifications

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Security Protocols and Infrastructures

Configuring SSL. SSL Overview CHAPTER

Introduction to Cryptography Lecture 11

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

CSE543 Computer and Network Security Module: Network Security

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 12 Security Protocols of the Transport Layer

TLS1.2 IS DEAD BE READY FOR TLS1.3

Configuring SSL CHAPTER

CS 161 Computer Security

Configuring SSL. SSL Overview CHAPTER

Transport Layer Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Overview of TLS v1.3 What s new, what s removed and what s changed?

SSL/TLS FOR MORTALS.

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Lecture: Transport Layer Security (secure Socket Layer)

Securely Deploying TLS 1.3. September 2017

TLS/sRTP Voice Recording AddPac Technology

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices. Abstract

Chapter 8 Web Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

TLS 1.2 Protocol Execution Transcript

TLS authentication using ETSI TS and IEEE certificates

and Web Security

COSC4377. Chapter 8 roadmap

Chapter 5. Transport Level Security

MatrixDTLS Developer s Guide

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Request for Comments: 2712 Category: Standards Track CyberSafe Corporation October 1999

Internet Engineering Task Force (IETF) Category: Standards Track. A. Langley Google Inc. E. Stephan Orange July 2014

Network Security Chapter 8

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

(Continue) Cryptography + (Back to) Software Security

CS November 2018

Understanding Traffic Decryption

DTLS over SNMP. Wes Hardaker. 14 November Wes Hardaker () DTLS over SNMP 14 November / 15

CIS 5373 Systems Security

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

David Wetherall, with some slides from Radia Perlman s security lectures.

Presented by: Ahmed Atef Elnaggar Supervisor: Prof. Shawkat K.Guirguis

Configuring OpenVPN on pfsense

TRANSPORT-LEVEL SECURITY

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Displaying SSL Configuration Information and Statistics

Transcription:

Internet security and privacy SSL/TLS 1

Application layer App. TCP/UDP IP L2 L1 2

Application layer App. SSL/TLS TCP/UDP IP L2 L1 3

History of SSL/TLS Originally, SSL Secure Socket Layer, was developed by Netscape for secure HTTP connections in 1994-95. Microsoft developed a similar protocol with improved properties. Netscape included the improvements and released SSL v3 in 1996. IETF presented their own version, TLS Transport Layer Security, based on SSLv3 but with some changes. 4

SSL/TLS IETF can not present standards that use patent protected technology. It could therefor not accept SSL as it was since it was using RSA technology. TLS mandated the implementation of Diffie- Helman and Digital Signature Standard. The RSA patent expired in 2000 and few companies migrated to TLS. SSLv3 is still the most used version. RSA patents are gone and SSLv3 and TLS will hopefully merge. 5

SSL/TLS Based on public key infrastructure: all servers have a certificate signed by a CA and the clients have a set of trusted CAs. Client authentication is optional and requires that the client also has a private/public key and a valid certificate. Since the authentication method is fixed the initial protocol is simplified (compare with IPsec with eight different modes). 6

Hand shaking Alice Bob crypto proposal, R Alice choose S K = f(s, R Alice, R Bob ) certificate, crypto choice, R Bob {S} Bob, {md(k,msg CLNT )] {md(k,msg SRVR )} K = f(s, R Alice, R Bob ) S is the pre-master key K is the master key 7

Session resumption A SSL/TLS session can use one or more TCP connection (designed for HTTP 1.0). Each TCP connection can use a unique master key that can be computed without choosing a new pre-master key nor doing a public-key encryption. If the server allows session resumption it will send a session-id in its first reply. 8

Session resumption Alice Bob session-id, crypto proposal, R Alice K = f(s, R Alice, R Bob ) session-id, crypto choice, {md(k,msg)}, R bob {md(k,msg)} K = f(s, R Alice, R Bob ) 9

The master key Each connection has a master key and two random values chosen by Alice and Bob. From these value both derive two sets of: encryption key integrity key IV (if needed) The connection will thus use one set of keys in each direction. R-values include a time stamp 10

Hand shaking revisited Alice Bob choose S cp, R Alice cert, cc, R Bob {S} Bob K = f(s, R Alice, R Bob ) K = f(s, R Alice, R Bob ) Compute encryption key, integrity key and IV <e1,e2,i1,i2,v1,v2> = g(k, R Alice, R Bob ) {md(k,ms CLNT)} {md(k,msg SRVR)} 11

Client authentication Clients are normally not authenticated but the server have the option to request a certificate from the client. In a browser implementation the user will be asked which certificate to use for authentication. Client authentication is normally provided by user name and password that is protected by the secure communication to the server. 12

The version mess Version numbers are recorded in a two byte field SSLv2 uses: 02 SSLv3 uses: 30 TLS uses: 31 SSLv3 changed the location of the version number field! A v3 clients will send a v3 hello message in a v2 format with the version number set to 30! 13

Cipher suite negotiation A cipher suite consist of a description of which algorithms to use for authentication, encryption, chaining, and integrity. Each suite is given a unique number and it is a set of these numbers that the client present as a proposal. The server does not pick one but rather returns a possibly reduced set that it can support. Very different from IPsec! 14

Export regulations Export restrictions (from the US) has (2000) been lifted (except for some states) and the special handling of export approved ciphers and keys is no longer needed. The export regulations did however cause a lot of problems; not only are there export versions of the algorithms but the export versions should be able to talk to the US versions. Big confusion for what? 15

Encoding The SSL/TLS hand shake is implemented over TCP. SSL/TLS communicate using messages that are grouped in records (a large message can be broken up into several records). The record is the unit of encryption. There are four record types: Handshake Change cipher Alert Application data 16

Encrypting a record seq # Head Data SSLv3 uses a non standard implementation of HMAC. TLS follows RFC 2104. Sequence number is never sent but kept and incremented at both ends. Head Data HMAC encrypted pad Encryption uses a block cipher in CBC or RC4 17

Records and messages Hand shake record: ClientHello, ServerHello, ClientKeyExchange, Certificate, ServerHelloDone, ClientHelloDone, HandshakeFinished, CertificateReq, CertificateVerify, ServerKeyExchange Change cipher record ChangeCipher Alert record Application data record 18

Messages Alice ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec ChangeCipherSpec HandshakeFinised HandshakeFinished Bob 19

SSL/TLS drawback Since the TCP packets are not protected it is possible for Trudy to insert false TCP packets for example with a sequence number not yet sent. The SSL/TLS process will notice this but the TCP layer has already accepted the packet and will discard the correct one once it arrive. Trudy can also close the TCP connection but this will be noticed by SSLv3/TLS. One solution: implement TLS over UDP and do the job of TCP your self. It is always hard to protect against DoS attacks so it might not be worth it. 20

SSL/TLS usage Mainly used for web access since most servers support it (if they only had a certificate) and all clients support it. More applications come with SSL/TLS protected web interface. Could also be used to build a secure tunnel that any application can use. Also used in EAP for session key establishment key then used for L2 encryption. WTLS is the WAP version of TLS. 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback