MTAT Applied Cryptography

Similar documents
MTAT Applied Cryptography

CSCE 715: Network Systems Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Security Protocols and Infrastructures. Winter Term 2015/2016

Auth. Key Exchange. Dan Boneh

Security Protocols and Infrastructures. Winter Term 2010/2011

Transport Layer Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

WAP Security. Helsinki University of Technology S Security of Communication Protocols

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Security Protocols and Infrastructures

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Chapter 4: Securing TCP connections

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Securing IoT applications with Mbed TLS Hannes Tschofenig

Internet security and privacy

Coming of Age: A Longitudinal Study of TLS Deployment

Cryptography (Overview)

Secure Socket Layer. Security Threat Classifications

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Practical Issues with TLS Client Certificate Authentication

TLS Extensions Project IMT Network Security Spring 2004

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Chapter 12 Security Protocols of the Transport Layer

Transport Layer Security

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Securely Deploying TLS 1.3. September 2017

CS 161 Computer Security

ON THE SECURITY OF TLS RENEGOTIATION

Introduction to cryptology (GBIN8U16) Introduction

Overview. SSL Cryptography Overview CHAPTER 1

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

TLS1.2 IS DEAD BE READY FOR TLS1.3

TLS 1.2 Protocol Execution Transcript

Transport Level Security

E-commerce security: SSL/TLS, SET and others. 4.1

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

State of TLS usage current and future. Dave Thompson

Overview of TLS v1.3 What s new, what s removed and what s changed?

Cryptology complementary. Introduction

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices. Abstract

Security analysis of DTLS 1.2 implementations

CS 356 Internet Security Protocols. Fall 2013

TLS 1.1 Security fixes and TLS extensions RFC4346

Understanding Traffic Decryption

CIS 5373 Systems Security

Lecture: Transport Layer Security (secure Socket Layer)

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

TLS/sRTP Voice Recording AddPac Technology

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Perfect forward not so secrecy

TLS Security and Future

Transport Layer Security

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Overview of TLS v1.3. What s new, what s removed and what s changed?

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Was ist neu bei TLS 1.3?

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

SSL/TLS. Pehr Söderman Natsak08/DD2495

Cryptographic Systems

SSL/TLS CONT Lecture 9a

TRANSPORT-LEVEL SECURITY

Performance Implications of Security Protocols

Chapter 5. Transport Level Security

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

Introduction to Cryptography Lecture 11

Auditing IoT Communications with TLS-RaR

New Generation Cryptosystems using Elliptic Curve Cryptography

Real-time protocol. Chapter 16: Real-Time Communication Security

AIR FORCE INSTITUTE OF TECHNOLOGY

ecure Sockets Layer, or SSL, is a generalpurpose protocol for sending encrypted

Chapter 8 Web Security

TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Internet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)

Proving who you are. Passwords and TLS

One Year of SSL Internet Measurement ACSAC 2012

Information Security CS 526

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Preventing Attackers From Using Verifiers: A-PAKE With PK-Id

Public Key Cryptography

Total No. of Questions : 09 ] [ Total No.of Pages : 02

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Displaying SSL Configuration Information and Statistics

Encryption. INST 346, Section 0201 April 3, 2018

Secure Internet Communication

Fast-Track Session Establishment for TLS

APNIC elearning: Cryptography Basics

TLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1

Transcription:

MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16

Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone ClientKeyExchange Application Data Server Client usually is authenticated on the application level by some shared secret (e.g., password). This can fail: Server can be impersonated Server can be compromised Password can be reused in another service Password can be guessed Password can be phished 2 / 16

Client Certificate Authentication Client ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify Application Data Server CertificateVerify signature over all handshake messages Can CertificateVerify be reused in another handshake? Why CertificateVerify is after ClientKeyExchange? Client s Certificate sent before ChangeCipherSpec Client proves his identity by signing and not by decrypting 3 / 16

Session Resumption Client ClientHello ServerHello Application Data Server Abbreviated handshake improves performance, saving: 1 round-trip time across the network 1 asymmetric crypto operation Several TLS connections can belong to one TLS session Resumed TLS connections share the same master secret If TLS connection fails, TLS session becomes non-resumable 4 / 16

Renegotiation Any party can initiate negotiation of a new TLS session: Client by sending ClientHello Server by sending HelloRequest Handshake messages of the new TLS session are protected by cipher suite negotiated in previous TLS session Used by server to renegotiate stronger cipher suite or to request client certificate authentication if on application level client tries to access resources that require such security measures 5 / 16

Certificate request on renegotiation ClientHello ServerHello, Certificate, ServerHelloDone ClientKeyExchange Client Application Data (GET /auth HTTP/1.1) HelloRequest ClientHello ServerHello, Certificate, CertificateRequest, ServerHelloDone Certificate, ClientKeyExchange, CertificateVerify... Server 6 / 16

NSA attacks on TLS UNCLASSIFIED RSA Keys (Stating the Obvious) If the Key Exchange type is RSA: ^ If we can get a hold of the server's RSA private key, we can decrypt the Client Key Exchange message and read the premaster secret key. No other heavy work need be done. Valid for life of certificate UNCLASSIFIED https://www.eff.org/document/20141228-spiegel-scarletfever-program-attack-secure-sockets-layer-ssl-tls 7 / 16

Diffie-Hellman Key Exchange (2 5 ) 4 = 2 5 4 = (2 4 ) 5 In practice is used multiplicative group of integers modulo p Dicrete logarithm problem hard to find x, given 2 x = 32 mod p What to do with key established? Secure against passive eavesdropping ElGamal, DSA, Elliptic Curve DSA based on DH 8 / 16

Diffie-Hellman Key Exchange Client ClientHello ServerHello, Certificate, ServerKeyExchange, ServerHelloDone ClientKeyExchange Application Data Server ServerKeyExchange contains DH group, server s DH public key and server s RSA signature over DH public key, client randomness and server randomness ClientKeyExchange contains client s DH public key How is pre-master secret calculated? Used by TLS (EC)DHE RSA WITH * cipher suites Why not to use RSA key exchange directly? Perfect Forward Secrecy 9 / 16

Perfect Forward Secrecy Benefits: Attacker who has compromised RSA private key cannot decrypt previous TLS traffic Attacker who has compromised RSA private key has to execute active MITM attack Attacker has to crack x keys to decrypt x sessions made to the server How to apply PFS in hybrid encryption? 10 / 16

Extensions ClientHello can contain length prefixed extensions ServerHello will contain response to client s extensions Most popular extensions: Server Name Indication extension (RFC 3546) TLS Session Tickets (RFC 5077) Elliptic Curves (RFC 4492) Heartbeat (RFC 6520) 11 / 16

Other authentication methods TLS-PSK (RFC 4279) pre-shared key PSK identities up to 128 octets in length PSKs up to 64 octets in length TLS PSK WITH * TLS RSA PSK WITH * TLS DHE PSK WITH * TLS-SRP (RFC 5054) low-entropy password Uses discrete logarithms Prevents off-line brute force attacks Password does not have to be stored on server in plaintext User name appended to ClientHello in SRP extension TLS SRP SHA WITH * TLS SRP SHA RSA WITH * TLS SRP SHA DSS WITH * DH anon both client and server remain anonymous TLS DH anon WITH * No Certificate messages allowed opportunistic encryption (HTTP/2.0) 12 / 16

Task (7 points) Implement TLS 1.0 client that can obtaining HTTP GET response. $ python tls_client.py https://127.0.0.1:4433/ --> client_hello() <--- server_hello() [+] server randomness: 57359448EF20879409852D451B1A3089D620A95944BF8092A [+] server timestamp: 2016-05-13 11:46:00 [+] TLS session ID: [+] Cipher suite: TLS_RSA_WITH_RC4_128_SHA <--- certificate() [+] Server certificate length: 554 <--- server_hello_done() --> client_key_exchange() --> change_cipher_spec() --> finished() <--- change_cipher_spec() <--- finished() --> application_data() GET / HTTP/1.0 <--- application_data() HTTP/1.0 200 OK Hello! [+] Closing TCP connection! 13 / 16

Task Client has to support TLS RSA WITH RC4 128 SHA cipher suite Template contains fully implemented PRF(), derive master secret(), derive keys(), encrypt(), decrypt() and client/server finished hash calculation code Make sure you provide correct inputs to these functions (!!!) Your code should work on www.ut.ee. Grading: 2 points if a server accepts your ClientKeyExchange message 2 points if a server accepts your Finished message 1 point if your code verifies server s Finished message 2 points if your code can show HTTP response You can use s server for development (listens on port 4433): $ openssl s_server -cert cert.pem -key priv.pem -debug -msg -www Or tls server.py (provides more verbose information) Wireshark Decode As TCP Destination 4433 SSL 14 / 16

Debugging $ python tls_server.py --port 4433 [+] Connection from 127.0.0.1:38452 <--- client_hello() [+] version: 0301 [+] client randomness: 53723DC0A35CF83D35EB0AD0E37AFD4D9506C4A8040E0BF9EAA3A76185B36F17 [+] client timestamp: 1970-01-01 03:00:00 [+] TLS session ID: [+] Cipher suites: TLS_RSA_WITH_RC4_128_SHA [+] Compression methods: null [+] Extensions length: 0 --> server_hello() [+] server randomness: 57359448EF20879409852D451B1A3089D620A95944BF8092AF486049573EE86A [+] server timestamp: 2016-05-13 11:46:00 [+] TLS session ID: [+] Cipher suite: TLS_RSA_WITH_RC4_128_SHA --> certificate() [+] Server certificate length: 554 --> server_hello_done() <--- client_key_exchange() [+] PreMaster length: 128 [+] PreMaster (encrypted): 2d77eb79e9713a67b91cf698fb58e15df17c3b42e8fe963847961d3b77f96c6ce7aeed2cd2fa162ae8d4a4d7051c [+] PreMaster: 03019b365e7bd59dcfa6dba34777da790ade7642cec4f643bb89a7a9a8b89eab90f6788b51cd85abd50c3816a436b1e4 <--- change_cipher_spec() [+] Applying cipher suite: [+] master_secret = PRF(03019b365e7bd59dcfa6dba34777da790ade7642cec4f643bb89a7a9a8b89eab90f6788b51cd85abd50c381 [+] master_secret: bbfeb4a6ae093ecd38171f980f08a7d840dad77777c8827167335ce724218607f0a03e9a663c250f903e391e1d47 [+] client_mac_key: 9980e4d6ea7e433ad4e2be75645318903dc942af [+] server_mac_key: fcf88e9b9e361b0cc0cc547313f53ab9de5f709a [+] client_enc_key: 1d4cf122a63930b347547dcb516b21f4 [+] server_enc_key: 8bc00ba328a5a0df56778f1f5bd74f63 <--- finished() [+] client_verify (received): 8232f05b92f01eb7d8138859 [+] client_verify (calculated): 8232f05b92f01eb7d8138859 --> change_cipher_spec() --> finished() <--- application_data() GET / HTTP/1.0 --> application_data() HTTP/1.0 200 OK Hello! [+] Closing TCP connection! 15 / 16

RC4 (TLS RSA WITH RC4 128 SHA) $ python tls_client.py https://www.swedbank.ee/ --> client_hello() <--- alert() [-] fatal: 40 $ python tls_client.py https://www.nordea.ee/ --> client_hello() <--- alert() [-] fatal: 40 $ python tls_client.py https://www.eesti.ee/ --> client_hello() <--- alert() [-] fatal: 40 $ python tls_client.py https://www.ut.ee/ --> client_hello() <--- server_hello() [+] server randomness: 572C8EF6A59AB7C76584B3E988D1185C3010E67CDF2975FB9C5B522F898674BE [+] server timestamp: 2016-05-06 15:32:54 [+] TLS session ID: D6EF3177BAFBA2A28399A0D2E08D6E4750527000BCACD75D21A814ECDA1BBA87 [+] Cipher suite: TLS_RSA_WITH_RC4_128_SHA <--- certificate() [+] Server certificate length: 1430 <--- server_hello_done() --> client_key_exchange() --> change_cipher_spec() --> finished() <--- change_cipher_spec() <--- finished() --> application_data() GET / HTTP/1.0 <--- application_data() HTTP/1.1 301 Moved Permanently Date: Fri, 06 May 2016 12:32:54 GMT Server: Apache/2.2.15 (CentOS) Location: http://www.ut.ee/ Content-Length: 307 Connection: close Content-Type: text/html; charset=iso-8859-1 [+] Closing TCP connection! 16 / 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback