Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Similar documents
Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Chapter 4: Securing TCP connections

CSCE 715: Network Systems Security

Transport Layer Security

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Internet security and privacy

E-commerce security: SSL/TLS, SET and others. 4.1

Auth. Key Exchange. Dan Boneh

MTAT Applied Cryptography

Transport Layer Security

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Security Protocols and Infrastructures. Winter Term 2010/2011

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Chapter 8 Web Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Security Protocols and Infrastructures. Winter Term 2015/2016

Secure Socket Layer. Security Threat Classifications

Transport Level Security

CS 356 Internet Security Protocols. Fall 2013

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Key Establishment and Authentication Protocols EECE 412

CS 494/594 Computer and Network Security

Cryptography (Overview)

Real-time protocol. Chapter 16: Real-Time Communication Security

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Security Protocols and Infrastructures

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CS 161 Computer Security

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Overview. SSL Cryptography Overview CHAPTER 1

Cryptographic Protocols 1

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Crypto meets Web Security: Certificates and SSL/TLS

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

SSL/TLS. Pehr Söderman Natsak08/DD2495

One Year of SSL Internet Measurement ACSAC 2012

Network Security: IPsec. Tuomas Aura

SSL/TLS CONT Lecture 9a

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Network Security: Classic Protocol Flaws, Kerberos. Tuomas Aura

Chapter 5. Transport Level Security

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

Information Security CS 526

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

14. Internet Security (J. Kurose)

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

MTAT Applied Cryptography

Datasäkerhetsmetoder föreläsning 7

CIS 4360 Secure Computer Systems Applied Cryptography

TLS 1.2 Protocol Execution Transcript

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Key Management and Distribution

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Securely Deploying TLS 1.3. September 2017

Key Agreement Schemes

Transport Layer Security

CIS 5373 Systems Security

David Wetherall, with some slides from Radia Perlman s security lectures.

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

TRANSPORT-LEVEL SECURITY

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

UNIT - IV Cryptographic Hash Function 31.1

Securing IoT applications with Mbed TLS Hannes Tschofenig

Coming of Age: A Longitudinal Study of TLS Deployment

Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices. Abstract

TLS Extensions Project IMT Network Security Spring 2004

Security: Focus of Control. Authentication

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Securing Internet Communication: TLS

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Practical Issues with TLS Client Certificate Authentication

CS Computer Networks 1: Authentication

AIR FORCE INSTITUTE OF TECHNOLOGY

(Continue) Cryptography + (Back to) Software Security

Encryption. INST 346, Section 0201 April 3, 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

But where'd that extra "s" come from, and what does it mean?

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

CSE543 Computer and Network Security Module: Network Security

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Chapter 12 Security Protocols of the Transport Layer

Request for Comments: 5422 Category: Informational H. Zhou Cisco Systems March 2009

Transcription:

Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010

Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange 4. TLS/SSL 5. TLS handshake 6. TLS record protocol 7. TLS trust model 2

3 Diffie-Hellman key exchange

Diffie-Hellman DH Public Key DH A = g x DH A = g x DH B = g y DH Public Key DH B = g y K AB := (g y ) x K AB = (g x ) y K AB = g xy A Insecure network K AB = g xy B Key exchange based on commutative public-key operations 4

Diffie-Hellman DH Public Key DH A = g x DH A = g x DH B = g y DH Public Key DH B = g y K AB := (g y ) x K AB = (g x ) y K AB = g xy A Insecure network K AB = g xy B Key exchange based on commutative public-key operations Each party has its own secret exponent x, y Each party sends or publishes its own public DH key Both compute the same shared secret or key material Public-key notations: g x, g y, DH A, DH B, DH-A, DH-B, PK B, PK B Shared secret notations: g xy, SK, K AB, K DH Needs authentication! 5

Impersonation attack Diffie-Hellman is secure against passive attackers Not possible to discover the shared secret by sniffing the network Vulnerable to an active attack: To A, the attacker can pretend to be B To B, the attacker can pretend to be A DH A = g x DH A =g x DH B =g z DH B = g z K AB := (g z ) x K AB = (g x ) z K AB = g xz K AB = g xz A Attacker T pretending to be B 6

Man-in-the-middle (MitM) attack Attacker pretends to be A to B and B to A Attacker shares session keys with both A and B and can translate session data between the two secure sessions DH A = g x DH A =g x DH B =g z DH T = g z DH B =g y DH A =g z DH B = g y K AB := (g z ) x K AB = (g z ) y K AB = g xz K AT = g xz K TB = g yz K AB = g yz A Attacker T B 7

Alice and Bob notation Common informal notation for cryptographic protocols Alice A, Bob B, Carol C, Trent T, Client C, Server S, Initiator I, Responder R, etc. Insecure Diffie-Hellman: A B: A, g x B A: B, g y SK = h(g xy ) Man-in-the-middle attack: A T(B): A, g x // Trent intercepts the message T(A) B: A, g z // Trent spoofs the message B T(A): B, g y // Trent intercepts the message T(B) A: B, g z // Trent spoofs the message 8

Signed Diffie-Hellman (Toy examples) MitM attack can be prevented with authentication of the DH public keys Signed Diffie-Hellman (insecure): A B: A, g x, S A (A, g x ), Cert A B A: B, g y, S B (B, g y ), Cert B Cert A is a standard public-key certificate, e.g. X.509, where the subject key is A s public signature key But what about freshness? Signed Diffie-Hellman with time stamps (a bit better): A B: A, T A, g x, S A (A, T A, g x ), Cert A B A: B, T B, g y, S B (B, T B, g y ), Cert B SK = h(t A, T B, g xy ) Two sources of freshness: Time stamps are fresh DH exponents may be fresh 9

Security properties Signed Diffie-Hellman with time stamps: A B: A, T A, g x, S A (A, T A, g x ), Cert A B A: B, T B, g y, S B (B, T B, g y ), Cert B SK = h(t A, T B, g xy ) Properties: Secret, fresh session key known only by A and B Mutual authentication of session key Separation between long-term secrets (private signature keys) and short-term secrets (DH exponents and session key) Contributory: both contribute to SK and neither side alone can decide SK value Missing properties: Only partial entity authentication: each party knows that the other is alive but not that the other intended to participate in a key exchange between A and B No key confirmation: neither party knows whether that the other computed the same SK Partial non-repudiation of participation: signature proves participation in a key exchange at a certain time, but not with whom No identity protection No protection against DoS by flood of spoofed first messages 10

Signed DH with key confirmation Signed Diffie-Hellman with nonces: (Somewhat realistic protocol) A B: A, B, N A, g x, S A (A, B, N A, g x ), Cert A B A: A, B, N A, N B, g x, g y, S B (A, B, N A, N B, g x, g y ), Cert B A B: A, B, MAC SK (A, B, Done. ) SK = h(n A, N B, g xy ) Mutual entity authentication and key confirmation requires (at least) three messages Real protocols are even more complex: Version and algorithm negotiation DoS protection Identity protection 11

Ephemeral Diffie-Hellman Perfect forward secrecy (PFS): session keys and data from past sessions is safe even if the long-term secrets, such as private keys, are later compromised Even participants themselves cannot recover old session keys (Not clear why it is called perfect ) Common way to implement PFS is ephemeral DH: both sides use a new DH exponents in every key exchange Cost of forward secrecy: Random-number generation for new exponents Computation of new DH public keys Typically DH exponents are replaced every day or hour PFS only after deleting exponents and session keys nonces required for freshness General principle of implementing PFS: create a new temporary public key pair for each key exchange and afterwards discard the private key 12

Security properties Signed Diffie-Hellman with nonces: A B: A, B, N A, g x, S A (A, B, N A, g x ), Cert A B A: A, B, N A, N B, g x, g y, S B (A, B, N A, N B, g x, g y ), Cert B A B: A, B, MAC SK (A, B, Done. ) SK = h(n A, N B, g xy ) Properties: Secret, fresh session key known only by A and B Mutual authentication of session key Separation between long-term secrets (private signature keys) and short-term secrets (DH exponents and session key) Mutual entity authentication and key confirmation (requires subtle reasoning!) Contributory: both contribute to SK and neither side alone can decide SK value Can provide perfect forward secrecy if the DH exponents are not reused Missing properties: Partial non-repudiation: signature proves participation in a key exchange between A and B, but not when No identity protection No protection against DoS by flood of spoofed first messages 13

Key exchange using public-key encryption

PK encryption of session key Public-key encryption of the session key (insecure): A B: A, PK A B A: B, E A (SK) SK = session key E A ( ) = encryption with A s public key Man-in-the-middle attack: A T(B): A, PK A T(A) B: A, PK T B T(A): B, E T (SK) T(B) A: B, E A (SK) // Trent intercepts the message // Trent spoofs the message // Trent intercepts the message // Trent spoofs the message 15

Authenticated key exchange (Somewhat realistic protocol) Public-key encryption of the session key: A B: A,B, N A, Cert A B A: A,B,N A,N B,E A (KM),S B (A,B, N A,N B, E A (KM)), Cert B A B: A,B, MAC SK (A,B, Done. ) SK = h(n A,N B, KM) (why not SK = KM?) KM = random key material generated by B Cert A = certificate for A s public encryption key E A ( ) = encryption with A s public key Cert B = certificate for B s public signature key S B ( ) = B s signature Typically RSA encryption and signatures 16

Security properties Public-key encryption of the session key: A B: A,B, N A, Cert A B A: A,B,N A,N B,E A (KM),S B (A,B, N A,N B, E A (KM)), Cert B A B: A,B, MAC SK (A,B, Done. ) SK = h(n A,N B, KM) Properties: Secret, fresh session key known only by A and B Mutual authentication of session key Mutual entity authentication Mutual key confirmation (requires subtle reasoning!) Separation between long-term secrets (private RSA keys) and short-term secrets (KM, SK) Contributory: neither side can decide SK alone Missing properties: Partial non-repudiation of participation of B: signature proves participation in a key exchange with A, but not when; plausible deniability for A No perfect forward secrecy No identity protection No protection against DoS by flood of spoofed first messages 17

Goals of authenticated key exchange

Basic security goals Create a good session key: Secret i.e. known only to the intended participants Fresh i.e. never used before Authentication: Mutual i.e. bidirectional authentication: each party knows with whom it shares the session key Sometimes only unidirectional (one-way) authentication Optional properties: Entity authentication: each participant know that the other is online and participated in the protocol Key confirmation: each participant knows that the other knows the session key Separation of long-term and short-term secrets: long term secrets such as private keys or shared master keys are not compromised even if session keys are Perfect forward secrecy: compromise of current secrets should not compromise past session keys Contributory: both parties contribute to the session key; neither can decide the session-key alone

Advanced security goals Non-repudiation A party cannot later deny taking part (usually not an explicit goal) Plausible deniability No evidence left of taking part (usually not an explicit goal either) Integrity check for version and algorithm negotiation Increases difficulty of fall-back attacks Identity protection: Outsiders cannot learn the identities of the protocol participants Usually, one side must reveal its identity first, making it vulnerable to active attacks against identity protection Denial-of-service resistance: The protocol cannot be used to exhaust memory or CPU of the participants The protocol cannot be used to flood third parties with data It is not easy to prevent the participants from completing the protocol

TLS/SSL

TLS/SSL Originally Secure Sockets Layer (SSLv3) by Netscape in 1995 Originally intended to facilitate web commerce: Fast adoption because built into web browsers Encrypt credit card numbers and passwords on the web Early resistance, especially in the IETF: IPSec will eventually replace TLS/SSL TLS/SSL is bad because it slows the adoption of IPSec Now SSL/TLS is the dominant encryption standard Standardized as Transport-Layer Security (TLS) by IETF [RFC 5246] Minimal changes to SSLv3 implementations but not interoperable 22

TLS/SSL architecture (1) Encryption and authentication layer added to the protocol stack between TCP and applications End-to-end security between client and server, usually web browser and server Application Application TLS TCP IP Application Application TLS TCP IP Internet 23

TLS/SSL architecture (2) TLS Handshake Protocol authenticated key exchange TLS Record Protocol block data delivery Application data (e.g. HTTP) TLS Handshake Protocol TLS Record Protocol TCP IP General architecture of security protocols: authenticated key exchange + session protocol TSL specifies separate minor protocols : Alert error messages Change Cipher Spec turn on encryption or update keys 24

Cryptography in TLS Key-exchange mechanisms and algorithms organized in cipher suites Negotiated in the beginning of the handshake Example: TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA = handshake: RSA-based key exchange Key-exchange uses its own MAC composed of SHA-1 and MD5 3DES_EDE_CBC = data encryption with 3DES block cipher in EDE and CBC mode SHA = data authentication with HMAC-SHA-1 TLS mandatory cipher suites: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (TLS 1.0) DHE_DSS = handshake: ephemeral Diffie-Hellman key exchange authenticated with DSS* signatures TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLS 1.1) TLS_RSA_WITH_AES_128_CBC_SHA (TLS 1.2) SHA-1 and MD5 in key exchange replaced with negotiable MAC algorithm in TLS 1.2 Insecure cipher suites: TLS_NULL_WITH_NULL_NULL TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS handshake 26

TLS handshake protocol Runs on top of TLS record protocol Negotiates protocol version and cipher suite (i.e. cryptographic algorithms) Protocol versions: 3.0 = SSLv3, 3.1 = TLSv1 Cipher suite e.g. DHE_RSA_WITH_3DES_EDE_CBC_SHA Performs authenticated key exchange Often only server authenticated 27

Protocol versions, client nonce, cipher suites Client ClientHello Optional, client typically unauthenticated. E.g. client D-H key Signature Key confirmation TLS Handshake (DH) Certificate* ClientKeyExchange CertificateVerify* ChangeCipherSpec Finished Application data 28 1. Negotiation 2. Authentication 3. Key exchange 4. Key confirmation 5. Start session Protocol Server ServerHello Certificate* ServerKeyExchange* CertificateRequest* ServerHelloDone ChangeCipherSpec Finished Application data version, server nonce, cipher suite Server certificate E.g. server D-H key and signature Key confirmation Encrypted and MAC ed session data

1. C S: ClientHello 2. S C: ServerHello, Certificate, [ ServerKeyExchange ], [ CertificateRequest ], ServerHelloDone 3. C S: [ Certificate ], ClientKeyExchange, [ CertificateVerify ], ChangeCipherSpec, Finished 4. S C: ChangeCipherSpec, Finished TLS handshake [Brackets] indicate fields for bidirectional authentication 29

TLS_DHE_DSS handshake 1. C S: Versions, N C, SessionId, CipherSuites 2. S C: Version, N S, SessionId, CipherSuite CertChain S g, n, g y, Sign S (N C, N S, g, n, g y ) [ Root CAs ] 3. C S: [ CertChain C ] g x [ Sign C (all previous messages including N C, N S, g, n, g y, g x ) ] ChangeCipherSpec MAC SK ( client finished, all previous messages) 4. S C: ChangeCipherSpec MAC SK ("server finished, all previous messages) 1. Negotiation 2. Ephemeral Diffie-Hellman 3. Nonces 4. Signature 5. Certificates 6. Key confirmation and negotiation integrity check pre_master_secret = g xy master_secret = SK = h(g xy, master secret, N C, N S ) Finished messages are already protected by the new session keys 30

TLS_DHE_DSS handshake 1. C S: Versions, N C, SessionId, CipherSuites 2. S C: Version, N S, SessionId, CipherSuite CertChain S g, n, g y, Sign S (N C, N S, g, n, g y ) [ Root CAs ] 3. C S: [ CertChain C ] g x [ Sign C (all previous messages including N C, N S, g, n, g y, g x ) ] ChangeCipherSpec MAC SK ( client finished, all previous messages) 4. S C: ChangeCipherSpec MAC SK ("server finished, all previous messages) Secret and fresh session key? Mutual authentication? Entity authentication? Key confirmation? Perfect forward secrecy? Contributory key exchange? Non-repudiation or plausible deniability? Integrity check for negotiation? Identity protection? DoS protection? pre_master_secret = g xy master_secret = SK = h(pre_master_secret, master secret, N C, N S ) Finished messages are already protected by the new session keys 31

TLS_RSA handshake 1. C S: Versions, N C, SessionId, CipherSuites 2. S C: Version, N S, SessionId, CipherSuite CertChain S [ Root CAs ] 3. C S: [ CertChain C ] E S (pre_master_secret), [ Sign C (all previous messages including N C, N S, E S ( )) ] ChangeCipherSpec MAC SK ( client finished, all previous messages) 4. S C: ChangeCipherSpec MAC SK ("server finished, all previous messages) 1. Negotiation 2. RSA 3. Nonces 4. Signature 5. Certificates 6. Key confirmation and negotiation integrity check E S = RSA encryption (PKCS #1 v1.5) with S s public key from CertChain S pre_master_secret = random number chosen by C master_secret = SK = h(pre_master_secret, master secret, N C, N S ) Finished messages are already protected by the new session keys 32

TLS_RSA handshake 1. C S: Versions, N C, SessionId, CipherSuites 2. S C: Version, N S, SessionId, CipherSuite CertChain S [ Root CAs ] 3. C S: [ CertChain C ] E S (pre_master_secret), [ Sign C (all previous messages including N C, N S, g, n, g y, g x ) ] ChangeCipherSpec MAC SK ( client finished, all previous messages) 4. S C: ChangeCipherSpec MAC SK ("server finished, all previous messages) Secret and fresh session key? Mutual authentication? Entity authentication? Key confirmation? Perfect forward secrecy? Contributory key exchange? Non-repudiation or plausible deniability? Integrity check for negotiation? Identity protection? DoS protection? E S = RSA encryption (PKCS #1 v1.5) with S s public key from CertChain S pre_master_secret = random number chosen by C master_secret = SK = h(g xy, master secret, N C, N S ) Finished messages are already protected by the new session keys 33

Nonces in TLS Client and Server Random are nonces Concatenation of a real-time clock value and random number: struct { } Random; uint32 gmt_unix_time; opaque random_bytes[28]; 34

Session vs. connection TLS session can span multiple connections Client and server cache the session state and key Client sends the SessionId of a cached session in Client Hello, otherwise zero Server responds with the same SessionId if found in cache, otherwise with a fresh value New master_secret calculated for each connection fro old master_secret and fresh nonces Change of IP address does not invalidate cached sessions 35

TLS record protocol

TLS record protocol For write (sending): 1. Take arbitrary-length data blocks from upper layer 2. Fragment to blocks of 4096 bytes 3. Compress the data (optional) 4. Apply a MAC 5. Encrypt 6. Add fragment header (SN, content type, length) 7. Transmit over TCP server port 443 (https) For read (receiving): Receive, decrypt, verify MAC, decompress, defragment, deliver to upper layer 37

TLS record protocol - abstraction Abstract view: E K1 (data, HMAC K2 (SN, content type, length, data)) Different encryption and MAC keys in each direction All keys and IVs are derived from the master_secret TLS record protocol uses 64-bit unsigned integers starting from zero for each connection TLS works over TCP, which is reliable and preserves order. Thus, sequence numbers must be received in exact order 38

TSL trust model 39

Typical TLS Trust Model Trust root: web browsers come with a pre-configured list of root CAs (e.g. Verisign) Users can add or remove root CAs which do you accept? Root-CA public keys are stored in self-signed certificates Not really a certificate; just a way of storing the CA public keys Users usually do not have client certificates Businesses pay a CA to issue a server certificate; client users do not want to pay for certificates ser authentication is typically down with passwords over the server-authenticated HTTPS channel (e.g. web form or HTTP basic access authentication) 40

TLS Certificate Example Example of a TLS certificate chain: Nationwide (a building society in the UK) Issuer: VeriSign Class 3 Public Primary CA Subject: VeriSign Class 3 Public Primary CA Issuer: VeriSign Class 3 Public Primary CA Subject: CPS Incorp/VeriSign Issuer: CPS Incorp/VeriSign Subject: olb2.nationet.com Self-signed certificate in my list of trusted root CAs Certificate chain received in TLS handshake But how do I know that olb2.nationet.com is the Nationwide online banking site? 41

TLS Applications Originally designed for web browsing New applications: Any TCP connection can be protected with TLS The SOAP remote procedure call (SOAP RPC) protocol uses HTTP as its transport protocol. Thus, SOAP can be protected with TLS TLS-based VPNs EAP-TLS authentication and key exchange in wireless LANs and elsewhere The web-browser trust model is usually not suitable for the new applications! 42

Exercises Use a network sniffer (e.g. Netmon, Ethereal) to look at TLS/SSL handshakes. Can you spot a full handshake and session reuse? Can you see the lack of identity protection? What factors mitigate the lack of identity protection in TLS? How would you modify the TLS handshake to improve identity protection? Remember that the certificates are sent as plaintext and SessionId is also a traceable identifier. Why do most web servers prefer the RSA handshake? Consider removing fields from the TLS DHE and RSA key exchanges. How does each field contribute to security? How to implement perfect forward secrecy with RSA? Why have the mandatory-to-implement cipher suites changes over time? How many round trips between client and server do the TLS DHE and RSA key exchanges require? Consider also the TCP handshake and that certificates may not fit into one IP packet. Why is the front page of a web site often insecure (HTTP) even if the password entry and/or later data access are secure (HTTPS)? What security problems can this cause? What problems arise if you want to set up multiple secure (HTTPS) web sites behind a NAT or on a virtual servers that share only one IP address? (The server name extension (RFC 4366) provides some help.) 43

Related reading William Stallings. Network security essentials: applications and standards, 3rd ed.: chapters 7.1-7.2 William Stallings. Cryptography and Network Security, 4th ed.: chapters 17.1-17.2 Kaufmann, Perlman, Speciner. Network security, 2nd ed.: chapters 11, 19 Dieter Gollmann. Computer Security, 2nd ed.: chapter 13.4 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback