SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Similar documents
Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Internet security and privacy

Trust Infrastructure of SSL

E-commerce security: SSL/TLS, SET and others. 4.1

Chapter 4: Securing TCP connections

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

CSCE 715: Network Systems Security

Chapter 8 Web Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Transport Level Security

and Web Security

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

PROVING WHO YOU ARE TLS & THE PKI

Overview. SSL Cryptography Overview CHAPTER 1

Transport Layer Security

Presented by: Ahmed Atef Elnaggar Supervisor: Prof. Shawkat K.Guirguis

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Digital Certificates Demystified

CS November 2018

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

14. Internet Security (J. Kurose)

Crypto meets Web Security: Certificates and SSL/TLS

MTAT Applied Cryptography

TLS1.2 IS DEAD BE READY FOR TLS1.3

Chapter 6: Security of higher layers. (network security)

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Information Security CS 526

and Web Security

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Progressively Securing RIOT-OS!

Lecture 10: Communications Security

Securing Network Communications

Diffie-Hellman. Part 1 Cryptography 136

Configuring SSL CHAPTER

Configuring SSL. SSL Overview CHAPTER

CS 494/594 Computer and Network Security

Introduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018

SSL/TLS. How to send your credit card number securely over the internet

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

SSL/TLS. Pehr Söderman Natsak08/DD2495

Public-Key Infrastructure NETS E2008

Configuring SSL. SSL Overview CHAPTER

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

HTTPS is Fast and Hassle-free with Cloudflare

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Introduction to Cryptography Lecture 11

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Public Key Infrastructure. What can it do for you?

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Introduction to Cryptography Lecture 11

Auth. Key Exchange. Dan Boneh

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Configuring Secure Socket Layer HTTP

Real-time protocol. Chapter 16: Real-Time Communication Security

Configuring Secure Socket Layer HTTP

SSL, Credit Card Transactions. CS174 Chris Pollett Nov. 5, 2007.

CS Certificates, part 2. Prof. Clarkson Spring 2017

E-commerce security: SSL/TLS, SET and others. 4.2

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

CS155b: E-Commerce. Lecture 8: February 1, TPSs and Content-Distribution Businesses

CIS 5373 Systems Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

White Paper for Wacom: Cryptography in the STU-541 Tablet

TLS 1.1 Security fixes and TLS extensions RFC4346

Cryptographic Protocols 1

Encryption. INST 346, Section 0201 April 3, 2018

Authentication Part IV NOTE: Part IV includes all of Part III!

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Overview of Authentication Systems

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Transport Layer Security

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

CIP Security Phase 1 Secure Transport for EtherNet/IP

AIT 682: Network and Systems Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

When HTTPS Meets CDN

Displaying SSL Configuration Information and Statistics

Security: Focus of Control

Key Management and Distribution

One Year of SSL Internet Measurement ACSAC 2012

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Security: Focus of Control. Authentication

But where'd that extra "s" come from, and what does it mean?

Configuring SSL Security

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Security Protocols and Infrastructures. Winter Term 2010/2011

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

COSC4377. Chapter 8 roadmap

Public-key Infrastructure

Today s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Transcription:

SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm kept secret Reverse engineered & broken by Wagner & Goldberg SSLv3 Fixed and improved, released in 1996 Public design process TLS: IETF s version; the current standard Latest: v1.2 (RFC 5246, August 2008) DTLS (Datagram TLS): TLS over UDP CS470, A.A.Selçuk SSL/TLS & 3DSec 2

SSL Architecture SSL Handshake Protocol SSL Change Cipher Spec. Protocol SSL Alert Protocol HTTP, etc. SSL Record Protocol TCP IP Record Protocol: Message encryption/authentication Handshake P.: Identity authentication & key exchange Alert P.: Error notification (cryptographic or otherwise) Change Cipher P.: Activate the pending crypto suite CS470, A.A.Selçuk SSL/TLS & 3DSec 3

Alice Basic SSL/TLS Handshake Protocol hello, crypto offered, R A certificate, crypto selected, R B {S} Bob, {keyed hash of messages} (K = f(s, R A, R B )) Bob {keyed hash of messages} session keys derived from K CS470, A.A.Selçuk SSL/TLS & 3DSec 4

SSL/TLS Handshake Protocol Client authentication: Bob can optionally send cert. req. in msg 2. Then, Alice will send her certificate in msg 3 as well as her signature on all messages so far. DH is supported too (fixed, ephemeral, or anon.) DH is gaining popularity (ECDH, in particular) over RSA key transport. Especially after Snowden. IETF is to drop RSA key transport from TLS 1.3. http://www.theinquirer.net/inquirer/news/2343117/ietfdrops-rsa-key-transport-from-ssl CS470, A.A.Selçuk SSL/TLS & 3DSec 5

Alice DH SSL/TLS Handshake Protocol hello, crypto offered, R A [g x ] B, certificate, crypto selected, R B g y, {keyed hash of messages} (K = f(s, R A, R B ), where S = g xy ) Bob {keyed hash of messages} session keys derived from K CS470, A.A.Selçuk SSL/TLS & 3DSec 6

DH in SSL/TLS Main advantage: PFS https://www.imperialviolet.org/2011/11/22/forwardsecret. html Disadvantage: More costly RSA key transport: One exponentiation per side Ephemeral DH: Three exponentiations per side But, with new ECC algorithms (e.g., EC25519), the overhead has become almost negligible. https://www.imperialviolet.org/2013/05/10/fastercurve255 19.html CS470, A.A.Selçuk SSL/TLS & 3DSec 7

SSL Session vs. Connection Sessions are relatively long-lived. Multiple connections (TCP) can be supported under the same SSL session. To start a connection, Alice can send an existing session ID. If Bob doesn t remember the session ID Alice sent, he responds with a different value. CS470, A.A.Selçuk SSL/TLS & 3DSec 8

Alice Session Resumption ( Connection ) session-id, crypto offered, R A session-id, crypto selected, R B, {keyed hash of msgs} {keyed hash of messages} Bob session keys derived from K, R A, R B CS470, A.A.Selçuk SSL/TLS & 3DSec 9

Key Computation pre-master secret : S master secret : K = f(s, R A, R B ) For each connection, 6 keys are generated from K and the nonces. (3 keys for each direction: encryption, auth., IV) Implicit IVs are abandoned in TLS 1.1 and later: http://crypto.stackexchange.com/questions/2641/why-donew-versions-of-tls-use-an-explicit-iv-for-cbc-suites CS470, A.A.Selçuk SSL/TLS & 3DSec 10

Negotiating Crypto Suites Crypto suite: A complete package specifying the crypto to be used. (encryption algorithm, key length, integrity algorithm, etc.) 30+ predefined standard cipher suites. 256 values reserved for private use. Selection: v2: Alice proposes a set of suites; Bob returns a subset of them; Alice selects one. (which doesn t make much sense) v3: Alice proposes a set of suites; Bob selects one. CS470, A.A.Selçuk SSL/TLS & 3DSec 11

The Trust Model PKI: Oligarchy model with X.509 certificates Browsers come configured with a set of trusted root CAs (VeriSign, AT&T, Entrust/Nortel, etc.) Additions to the root CA list by user is possible. Typically, only the server is authenticated. Client authentication is optional. Certificate revocation: Two alternative protocols: CRL OCSP CS470, A.A.Selçuk SSL/TLS & 3DSec 12

Secure Electronic Transaction (SET) Application-layer e-commerce protocol Developed by Visa & MasterCard consortium, 1996 Provides security, authentication, order transaction, payment authorization, etc. Both the merchant & customer are authenticated by X.509 certificates CS470, A.A.Selçuk SSL/TLS & 3DSec 13

SET Problems of e-commerce over SSL/TLS: malicious merchants (stealing credit card numbers) malicious customers (using stolen credit card no.s) SET solution: Bank (B) acts as an intermediary between the customer (C) & the merchant (M) M forwards C s info. to B, encrypted with B s key B does: authenticate C s public key signature decrypt the transaction info. (amount, card number, etc.) issue payment authorization & send it to M CS470, A.A.Selçuk SSL/TLS & 3DSec 14

SET & 3D-Secure SET problem: All users are required to have public keys & wallets. difficult to deploy & expensive not convenient (user access from a single terminal) 3D-Secure solution: No wallets are required. B authenticates C by password (or, SMS-OTP). M directs C to B, to which password is SSL-encrypted. (Problem: Malicious merchants can do m.i.t.m. attack, directing C to a fake page it controls.) Officially launched in 2003, supported by Visa & MC. CS470, A.A.Selçuk SSL/TLS & 3DSec 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback