SSL/TLS CONT Lecture 9a

Similar documents
Secure Socket Layer. Security Threat Classifications

CSCE 715: Network Systems Security

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 5. Transport Level Security

MTAT Applied Cryptography

TRANSPORT-LEVEL SECURITY

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

CIS 5373 Systems Security

Chapter 8 Web Security

Interested in learning more about security? SSL/TLS: What's Under the Hood. Copyright SANS Institute Author Retains Full Rights

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

ecure Sockets Layer, or SSL, is a generalpurpose protocol for sending encrypted

CS669 Network Security

Lecture for February 10, 2016

Security Protocols and Infrastructures. Winter Term 2010/2011

E-commerce security: SSL/TLS, SET and others. 4.1

Security Protocols and Infrastructures

Security Protocols and Infrastructures. Winter Term 2015/2016

Transport Layer Security

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

TLS connection management & application support. Giuseppe Bianchi

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Chapter 4: Securing TCP connections

Request for Comments: Category: Standards Track Independent Consultant J. Mikkelsen Transactionware T. Wright Vodafone April 2006

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

MTAT Applied Cryptography

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Request for Comments: D. Hopwood Independent Consultant J. Mikkelsen Transactionware T. Wright Vodafone June 2003

Network Working Group Request for Comments: Category: Standards Track April 2006

The SSL Protocol. Version 3.0. Netscape Communications Corporation. Internet Draft March 1996 (Expires 9/96)

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Transport Layer Security

Internet security and privacy

Overview. SSL Cryptography Overview CHAPTER 1

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Lecture: Transport Layer Security (secure Socket Layer)

18739A: Foundations of Security and Privacy. SSL/TLS Analysis. Anupam Datta. CMU Fall

Transport Level Security

Cryptography (Overview)

Introduction to Network Security Missouri S&T University CPE 5420 Application and Transport Layer Security

Introduction to Cryptography Lecture 11

CS 356 Internet Security Protocols. Fall 2013

Auth. Key Exchange. Dan Boneh

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Chapter 12 Security Protocols of the Transport Layer

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

cs526: Information Security Cristina Nita-Rotaru

Security analysis of DTLS 1.2 implementations

Coming of Age: A Longitudinal Study of TLS Deployment

But where'd that extra "s" come from, and what does it mean?

Securing Network Communications

CS 161 Computer Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

SSL Time-Diagram. Second Variant: Generation of an Ephemeral Diffie-Hellman Key

TLS1.2 IS DEAD BE READY FOR TLS1.3

Digital Certificates Demystified

Auditing IoT Communications with TLS-RaR

Transport Layer Security

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

One Year of SSL Internet Measurement ACSAC 2012

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Using SRP for TLS Authentication

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Security of network applications. Standard situation. Channel security. Antonio Lioy - Politecnico di Torino ( ) 1

Displaying SSL Configuration Information and Statistics

Securing IoT applications with Mbed TLS Hannes Tschofenig

Junction SSL Debugging With Wireshark

TLS Extensions Project IMT Network Security Spring 2004

C O M P U T E R S E C U R I T Y

Crypto meets Web Security: Certificates and SSL/TLS

TLS 1.2 Protocol Execution Transcript

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Information Security CS 526

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Chapter - 6 WIRELESS NETWORK SECURITY

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

SSL/TLS. Pehr Söderman Natsak08/DD2495

Data Security and Privacy. Topic 14: Authentication and Key Establishment

SSL/TLS FOR MORTALS.

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 5

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

TLS Security and Future

Computer Security Course. Public Key Crypto. Slides credit: Dan Boneh

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Proving who you are. Passwords and TLS

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Enhancing Transport Layer Security with Dynamic Identification, Validation, and Authentication

Understanding Traffic Decryption

Overview of TLS v1.3 What s new, what s removed and what s changed?

TLS 1.1 Security fixes and TLS extensions RFC4346

Requirements from the. Functional Package for Transport Layer Security (TLS)

Transcription:

SSL/TLS CONT Lecture 9a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 11, 2017 Source of some slides: University of Twente

2 HANDSHAKE PROTOCOL: KEY EXCHANGE AND AUTHENTICATION Client Server If requested by the client, the server sends its authentication data plus keys If necessary, the client sends its authentication data plus keys

3 HANDSHAKE PROTOCOL: PHASE 2 Certificate message Server s X.509v3 certificate followed by optional chain of certificates Required for RSA, Fixed DH, Ephemeral DH but not for Anonymous DH Server Key Exchange message Not needed for RSA and Fixed DH Required for Ephemeral DH and Anonymous DH Needed for RSA where the server has signature-only key

4 HANDSHAKE PROTOCOL: PHASE 2 Server Key Exchange message Signed by the server Signature is on hash of ClientHello.random, ServerHello.random Server Key Exchange parameters Certificate Request message Requests a certificate from the client Server Done message Ends phase 2, always required

5 HANDSHAKE PROTOCOL: PHASE 3 Certificate message Send if the server has requested certificate and the client has appropriate certificate Otherwise, send no_certificate alert Client Key Exchange message Content depends on type of key exchange (see next slide) Certificate Verify message Can be optionally sent following a client certificate with signing capability Signs hash of master secret (established by key exchange) and all handshake messages so far Provides evidence of possessing private key corresponding to certificate

6 HANDSHAKE PROTOCOL: PHASE 3 Client Key Exchange message RSA Client generates 48-byte pre-master secret, which is encrypted with the server s RSA public Ephemeral or Anonymous DH Fixed DH Client s public DH value Null, public key previously sent in the Certificate message

7 HANDSHAKE PROTOCOL: PHASE 3 48-byte pre-master secret RSA DH Generated by the client Sent encrypted to the server Both sides compute the same value Each side uses its own private value and the other side s public value

8 HANDSHAKE PROTOCOL: PHASE 3 pre_master_secret: 48 bytes master_secret = PRF(pre_master_secret, "master secret", ClientHello.random, ServerHello.random)

PRE-MASTER SECRET AND MASTER SECRET Pre_master_secret Computed for each session during handshaking Could be the same for all sessions It is not stored (so safe) Master_secret It is stored for the lifetime of the session May be compromised If compromised, damage limited to a session 9

10 GENERATION OF CRYPTOGRAPHIC PARAMETERS An SSL session needs four keys Four keys Client write MAC secret Server write MAC secret Client write key (for encryption) Server write key Two IVs Client write IV (for CBC) Server write IV These parameters are generated from the master secret

11 CHANGE CIPHER SPEC PROTOCOL Client Server Change cipher spec activates new algorithms Finished verifies new algorithms After the server sends Finished, actual data exchange starts

HANDSHAKE PROTOCOL: PHASE 4 Change Cipher Spec message Not considered part of the handshake protocol but in some sense is part of it Finished message Sent under new algorithms and keys Content is hash of all previous messages and master secret 12

13 PARTICIPANTS AS FINITE-STATE MACHINES Client state M_SLEEP ClientHello Server state M_CLIENT_HELLO ServerHello M_SERVER_HELLO M_SEND_KEY ServerKeyExchange M_SERVER_KEY M_CLIENT_KEY M_SEND_KEY ClientKeyExchange M_DONE

PROTOCOL IN ACTION Browser Client-hello Server-hello + Server-cert (PK) Server Cert SK rand k Key exchange (several options) Client-key-exchange: E(PK, k) k Finished HTTP data encrypted with KDF(k) Most common: Server authentication only 14

15 SSL ALERT PROTOCOL Conveys SSL-related alerts to peer entities 2-byte alert messages 1-byte level Fatal or warning 1-byte code Alert code Severity Fatal Warning

16 ALERT PROTOCOL Specific alert Fatal: Unexpected message, bad record MAC, decompression failure, handshake failure, and illegal parameter Warning: Close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, and certificate unknown Compressed and encrypted like all SSL data

ALERT PROTOCOL 17

18 SSL ALERT MESSAGES Warning or fatal close_notify(0), unexpected_message(10), bad_record_mac(20), decryption_failed(21), record_overflow(22), decompression_failure(30), handshake_failure(40), bad_certificate(42), unsupported_certificate(43), certificate_revoked(44), certificate_expired(45), certificate_unknown(46), illegal_parameter(47), unknown_ca(48), access_denied(49), decode_error(50), decrypt_error(51), export_restriction(60), protocol_version(70), insufficient_security(71), internal_error(80), user_canceled(90), no_renegotiation(100),

HEARTBEAT PROTOCOL A periodic signal generated to indicate normal operation or to synchronise other parts of a system Typically used to monitor the availability of a protocol entity Defined in 2012 in RFC 6250 Runs on top of the TLS Record Protocol Use is established during Phase 1 of the handshake protocol Each peer indicates whether it supports heartbeats Serves two purposes: Assures the sender that the recipient is still alive Generates activity across the connection during idle periods 19

HEARTBLEED For this image, thanks to FenixFeather 20

APPLICATION PORTS https 443 ssmtp 465 snntp 563 sldap 636 spop3 995 ftp-data 889 ftps 990 imaps 991 telnets 992 ircs 993 21

22 SUMMARY SSL/TLS is based on two main sub-protocols Handshake protocol for key establishment Record protocol for secure communication It uses authenticated encryption Variation: MAC and then encrypt Key exchange methods use RSA and DH A master secret is generated from a pre-master secret for providing forward secrecy

23 RESOURCES Read Chapter 5 of Network Security Essentials Applications and Standards Fourth Edition William Stallings Prentice Hall ISBN 0-13-706792-5 OpenSSL: https://www.openssl.org/ A free open-source implementation of SSL

24 Questions? Thanks for your attention!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback