Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Similar documents
CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Transport Layer Security

Transport Layer Security

CSCE 715: Network Systems Security

Chapter 8 Web Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

E-commerce security: SSL/TLS, SET and others. 4.1

Chapter 4: Securing TCP connections

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Secure Socket Layer. Security Threat Classifications

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Transport Level Security

MTAT Applied Cryptography

Security Protocols and Infrastructures. Winter Term 2010/2011

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Coming of Age: A Longitudinal Study of TLS Deployment

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

MTAT Applied Cryptography

Internet security and privacy

Overview. SSL Cryptography Overview CHAPTER 1

SSL/TLS. Pehr Söderman Natsak08/DD2495

Security Protocols and Infrastructures. Winter Term 2015/2016

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Cryptography (Overview)

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Chapter 5. Transport Level Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Security Protocols and Infrastructures

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Chapter 12 Security Protocols of the Transport Layer

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

CS 356 Internet Security Protocols. Fall 2013

CS 161 Computer Security

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

TRANSPORT-LEVEL SECURITY

Crypto meets Web Security: Certificates and SSL/TLS

CIS 5373 Systems Security

Securing IoT applications with Mbed TLS Hannes Tschofenig

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

But where'd that extra "s" come from, and what does it mean?

SSL/TLS CONT Lecture 9a

Transport Layer Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

TLS Extensions Project IMT Network Security Spring 2004

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Auth. Key Exchange. Dan Boneh

Encryption. INST 346, Section 0201 April 3, 2018

ON THE SECURITY OF TLS RENEGOTIATION

Datasäkerhetsmetoder föreläsning 7

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Lecture for February 10, 2016

Information Security CS 526

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Configuring Secure Socket Layer HTTP

Configuring Secure Socket Layer HTTP

Practical Issues with TLS Client Certificate Authentication

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

C O M P U T E R S E C U R I T Y

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Securing Internet Communication: TLS

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Plaintext-Recovery Attacks Against Datagram TLS

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

AIR FORCE INSTITUTE OF TECHNOLOGY

Findings for

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Security analysis of DTLS 1.2 implementations

TLS1.2 IS DEAD BE READY FOR TLS1.3

ecure Sockets Layer, or SSL, is a generalpurpose protocol for sending encrypted

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Securing Network Communications

Overview of TLS v1.3 What s new, what s removed and what s changed?

Configuring Secure Socket Layer HTTP

Presented by: Ahmed Atef Elnaggar Supervisor: Prof. Shawkat K.Guirguis

CSCE 715: Network Systems Security

Attack on Sun s MIDP Reference Implementation of SSL

Today s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice

TLS 1.2 Protocol Execution Transcript

Performance Implications of Security Protocols

TLS/sRTP Voice Recording AddPac Technology

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Attacks on re-keying and renegotiation in Key Exchange Protocols

Managing SSL certificates in the ServerView Suite

COSC4377. Chapter 8 roadmap

(2½ hours) Total Marks: 75

Authenticated Encryption in TLS

Understanding Traffic Decryption

Cryptography and Network Security

Transcription:

Universität Hamburg SSL & Company Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Security in TCP/IP UH, FB Inf, SVS, 18-Okt-04 2

SSL/TLS Overview SSL/TLS provides security at TCP layer. Uses TCP to provide reliable, end-to-end transport. Applications need some modification. In fact, usually a thin layer between TCP and HTTP. History: Unreleased v1 (Netscape) Flawed (but useful) v2 Version 3 redefined from scratch Standard TLS1.0 SSL3.0 with minor tweaks, hence Version field is 3.1 RFC2246, http://www.ietf.org/rfc/rfc2246.txt Open-source implementation: http://www.openssl.org/ UH, FB Inf, SVS, 18-Okt-04 3 http://www.openssl.org/news/ 17-mar-2004: 04-nov-2003: 30-sep-2003: 19-Mar-2003: 17-Mar-2003: 19-feb-2003: 30-Jul-2002: Denial of Service flaws in 0.9.6l and 0.9.7c Denial of Service in ASN.1 parsing in 0.9.6k. Vulnerabilities in ASN.1 parsing. Klima-Pokorny-Rosa attack. timing attacks, RSA blinding. Vulnerabilities in OpenSSL versions before 0.9.6i and 0.9.7a Vulnerabilities in OpenSSL versions before 0.9.6e UH, FB Inf, SVS, 18-Okt-04 4

1994 (http://www.granneman.com/techinfo/background/history/) Mosaic, renamed Netscape, founded Netscape Navigator 1.0 released (introducing cookies & <CENTER>) Netscape releases spec for SSL, the Secure Sockets Layer David Filo & Jerry Yang create Yahoo to organize their bookmarks 28.8 modem avail. for $330 1st widespread spam by Canter & Siegel Radio stations begin broadcasting online UH, FB Inf, SVS, 18-Okt-04 5 SSL/TLS Basic Features SSL/TLS is widely used in Web browsers and servers to secure traffic: Microsoft IE, Netscape, Mozilla, Apache, IIS, SSL architecture provides two layers: SSL Record Protocol Provides secure, reliable channel to upper layer. Upper layer carrying: SSL Handshake Protocol, Change Cipher Spec. Protocol, Alert Protocol, HTTP, any other application protocols. UH, FB Inf, SVS, 18-Okt-04 6

SSL Protocol Architecture Application SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol Application SSL Record Protocol TCP UH, FB Inf, SVS, 18-Okt-04 7 SSL Protocol Architecture INITIALIZES COMMUNCATION BETWEEN CLIENT & SERVER Application ERROR HANDLING INITIALIZES SECURE COMMUNICATION SSL Handshk. Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol SSL Record Protocol Application HANDLES DATA COMPRESSION TCP UH, FB Inf, SVS, 18-Okt-04 8

SSL Record Protocol Provides secure, reliable channel to upper layer. Carries application data and SSL management data. Session concept: Sessions created by handshake protocol. Defines set of cryptographic parameters (encryption and hash algorithm, master secret, certificates). Carries multiple connections to avoid repeated use of expensive handshake protocol. Connection concept: State defined by nonces, secret keys for MAC and encryption, IVs, sequence numbers. Keys for many connections derived from single master secret created during handshake protocol. UH, FB Inf, SVS, 18-Okt-04 9 SSL Record Protocol SSL Record Protocol provides: Data origin authentication and integrity. MAC using algorithm similar to HMAC. Based on MD-5 or SHA-1 hash algorithms. MAC protects 64 bit sequence number for anti-replay. Confidentiality. Bulk encryption using symmetric algorithm. IDEA, RC2-40, DES-40 (exportable), DES, 3DES, RC4-40 and RC4-128. Data from application/upper layer SSL protocol partitioned into fragments (max size 2 14 bytes). 1. Add MAC, then padding (if needed), finally encrypt. 2. Prepend header (Content type, version, length of fragment). 3. Submit to TCP. UH, FB Inf, SVS, 18-Okt-04 10

SSL Record Protocol UH, FB Inf, SVS, 18-Okt-04 11 SSL Record Format UH, FB Inf, SVS, 18-Okt-04 12

SSL Handshake Protocol: Security Goals Entity authentication of participating parties. Participants are called client and server. Server nearly always authenticated, client rarely. Appropriate for most e-commerce applications. Establishment of a fresh, shared secret. Shared secret used to derive further keys. For confidentiality and authentication in SSL Record Protocol. Secure ciphersuite negotiation. Encryption and hash algorithms Authentication and key establishment methods. UH, FB Inf, SVS, 18-Okt-04 13 Overview OFFER CIPHER SUITE MENU TO SERVER CLIENT SIDE SERVER SIDE SELECT A CIPHER SUITE SEND CERTIFICATE AND CHAIN TO CA ROOT SEND ENCRYPTED SYMMETRIC KEY ACTIVATE ENCRYPTION CLIENT PORTION DONE ( CLIENT CHECKS OPTIONS ) SOURCE: THOMAS, SSL AND TLS ESSENTIALS NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION SEND PUBLIC KEY TO ENCRYPT SYMM KEY SERVER NEGOTIATION FINISHED ( SERVER CHECKS OPTIONS ) ACTIVATE SERVER ENCRYPTION SERVER PORTION DONE UH, FB Inf, SVS, 18-Okt-04 14

SSL Handshake Protocol Key Exchange SSL supports several key establishment mechanisms. Most common is RSA encryption Client chooses pre_master_secret, encrypts using public RSA key of server, sends to server. Can create pre_master_secret from: Fixed Diffie-Hellman D-H parameters, signed by a CA DSS or RSA algorithms used to sign Ephemeral Diffie-Hellman Server and Client choose fresh Diffie-Hellman components and sign it with a certificate Anonymous Diffie-Hellman Each side sends Diffie-Hellman values, but no authentication. Vulnerable to man-in-middle attacks. UH, FB Inf, SVS, 18-Okt-04 15 SSL Handshake Protocol Entity Authentication SSL supports several different entity authentication mechanisms. Most common based on RSA. Ability to decrypt pre_master_secret and generate correct MAC in finished message using keys derived from pre_master_secret authenticates server to client. Less common: DSS or RSA signatures on nonces (and other fields, e.g. Diffie-Hellman values). UH, FB Inf, SVS, 18-Okt-04 16

SSL Handshake Protocol SSL uses symmetric keys: MAC and encryption at Record Layer. Different keys in each direction. These keys are established as part of the SSL Handshake Protocol. The SSL Handshake Protocol is a complex protocol with many options UH, FB Inf, SVS, 18-Okt-04 17 SSL Key Derivation Keys used for MAC and encryption in Record Layer derived from pre_master_secret: Derive master_secret from pre_master_secret and client/server nonces using MD5 and SHA-1 hash functions. Derive key_block key material from master_secret and client/server nonces, by repeated use of hash functions. Split up key_block into MAC and encryption keys for Record Protocol as needed. UH, FB Inf, SVS, 18-Okt-04 18

SSL Handshake Protocol Run An illustrative protocol run follows. We choose the most common use of SSL. No client authentication. Client sends pre_master_secret using Server s RSA public encryption key from Server certificate. Server authenticated by ability to decrypt to obtain pre_master_secret, and construct correct finished message. Other protocol runs are similar. UH, FB Inf, SVS, 18-Okt-04 19 SSL Handshake Protocol Run M1: C S: ClientHello Client initiates connection. Sends client version number. 3.1 for TLS. Sends ClientNonce. 28 random bytes plus 4 bytes of time. Offers list of ciphersuites. key exchange and authentication options, encryption algorithms, hash functions. E.g. TLS_RSA_WITH_3DES_EDE_CBC_SHA. UH, FB Inf, SVS, 18-Okt-04 20

Client Hello - Cipher Suites SSL_NULL_WITH_NULL_NULL = { 0, 0 } INITIAL (NULL) CIPHER SUITE PUBLIC-KEY ALGORITHM SYMMETRIC ALGORITHM HASH ALGORITHM SSL_RSA_WITH_NULL_MD5 = { 0, 1 } SSL_RSA_WITH_NULL_SHA = { 0, 2 } SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 } SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 } SSL_RSA_WITH_RC4_128_SHA = { 0, 5 } SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 } SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 } SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 } SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 } SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 } CIPHER SUITE CODES USED IN SSL MESSAGES UH, FB Inf, SVS, 18-Okt-04 21 SSL Handshake Protocol Run M2: S C: ServerHello, ServerCertChain, ServerHelloDone Sends server version number. Sends ServerNonce and SessionID. Selects single ciphersuite from list offered by client. E.g. TLS_RSA_WITH_3DES_EDE_CBC_SHA. Sends ServerCertChain message. Allows client to validate server s public key back to acceptable root of trust. (optional) CertRequest message. Omitted in this protocol run no client authentication. Finally, ServerHelloDone. UH, FB Inf, SVS, 18-Okt-04 22

SSL Handshake Protocol Run M3: C S: ClientKeyExchange, ChangeCipherSpec, ClientFinished ClientKeyExchange contains encryption of pre_master_secret under server s public key. ChangeCipherSpec indicates that client is updating cipher suite to be used on this session. Sent using SSL Change Cipher Spec. Protocol. (optional) ClientCertificate, ClientCertificateVerify messages. Only when client is authenticated. Finally, ClientFinished message. A MAC on all messages sent so far (both sides). MAC computed using master_secret. UH, FB Inf, SVS, 18-Okt-04 23 SSL Handshake Protocol Run M4: S C: ChangeCipherSpec, ServerFinished ChangeCipherSpec indicates that server is updating cipher suite to be used for this session. Sent using SSL Change Cipher Spec. Protocol. Finally, ServerFinished message. A MAC on all messages sent so far (both sides). MAC computed using master_secret. Server can only compute MAC if it can decrypt pre_master_secret in M3. UH, FB Inf, SVS, 18-Okt-04 24

SSL Handshake Protocol Run Summary: M1: C S: ClientHello M2: S C: ServerHello, ServerCertChain,ServerHelloDone M3: C S: ClientKeyExchange, ChangeCipherSpec, ClientFinished M4: S C: ChangeCipherSpec, ServerFinished UH, FB Inf, SVS, 18-Okt-04 25 SSL Encryption Master secret Generated by both parties from premaster secret and random values generated by both client and server Key material Generated from the master secret and shared random values Encryption keys Extracted from the key material UH, FB Inf, SVS, 18-Okt-04 26

Generating the Master Secret SERVER S PUBLIC KEY IS SENT BY SERVER IN ServerKeyExchange CLIENT GENERATES THE PREMASTER SECRET ENCRYPTS WITH PUBLIC KEY OF SERVER CLIENT SENDS PREMASTER SECRET IN ClientKeyExchange SENT BY CLIENT IN ClientHello SENT BY SERVER IN ServerHello MASTER SECRET IS 3 MD5 HASHES CONCATENATED TOGETHER = 384 BITS SOURCE: THOMAS, SSL AND TLS ESSENTIALS UH, FB Inf, SVS, 18-Okt-04 27 Generation of Key Material JUST LIKE FORMING THE MASTER SECRET EXCEPT THE MASTER SECRET IS USED HERE INSTEAD OF THE PREMASTER SECRET... SOURCE: THOMAS, SSL AND TLS ESSENTIALS UH, FB Inf, SVS, 18-Okt-04 28

Obtaining Keys from the Key Material SECRET VALUES INCLUDED IN MESSAGE AUTHENTICATION CODES SYMMETRIC KEYS INITIALIZATION VECTORS FOR DES CBC ENCRYPTION SOURCE: THOMAS, SSL AND TLS ESSENTIALS UH, FB Inf, SVS, 18-Okt-04 29 SSL Handshake Protocol Run 1. Is the client authenticated to the server in this protocol run? 2. Can an adversary learn the value of pre_master_secret? 3. Is the server authenticated to the client? 1. No. 2. No. Client has validated server s public key; Only holder of private key can decrypt ClientKeyExchange to learn pre_master_secret. 3. Yes. ServerFinished includes MAC on nonces computed using key derived from pre_master_secret. UH, FB Inf, SVS, 18-Okt-04 30

Other SSL Handshake Protocol Runs Many optional/situation-dependent protocol messages: M2 (S C) can include: ServerKeyExchange (e.g. for DH key exchange). CertRequest (for client authentication). M3 (C S) can include: ClientCert (for client authentication), ClientCertVerify (for client authentication). For details, see Stallings Figure 7.6 and pp. 212-219 (SSL) or RFC 2246 (TLS). UH, FB Inf, SVS, 18-Okt-04 31 SSL Handshake Protocol Additional Features SSL Handshake Protocol supports session resumption and ciphersuite re-negotiation. Allows authentication and shared secrets to be reused across multiple connections. Eg, next webpage from same website. Allows re-keying of current connection using fresh nonces. Allows change of ciphersuite during session. ClientHello quotes old SessionID. Both sides contribute new nonces, update master_secret and key_block. All protected by existing Record Protocol. UH, FB Inf, SVS, 18-Okt-04 32

Other SSL Protocols Alert protocol. Management of SSL session, error messages. Fatal errors and warnings. Change cipher spec protocol. Not part of SSL Handshake Protocol. Used to indicate that entity is changing to recently agreed ciphersuite. UH, FB Inf, SVS, 18-Okt-04 33 SSL and TLS TLS1.0 = SSL3.0 with minor differences. TLS signalled by version number 3.1. Use of HMAC for MAC algorithm. Different method for deriving keying material (master-secret and key-block). Pseudo-random function based on HMAC with MD5 and SHA-1. Additional alert codes. More client certificate types. Variable length padding. Can be used to hide lengths of short messages and so frustrate traffic analysis. And more. UH, FB Inf, SVS, 18-Okt-04 34

SSL/TLS Applications Secure e-commerce using SSL/TLS. Client authentication not needed until client decides to buy something. SSL provides secure channel for sending credit card information, personal details, etc. Client authenticated using credit card information, merchant bears (most of) risk. Very successful (online shops) UH, FB Inf, SVS, 18-Okt-04 35 SSL/TLS Applications Secure e-commerce: some issues. No guarantees about what happens to client data (including credit card details) after session: may be stored on insecure server. Does client understand meaning of certificate expiry and other security warnings? Does client software actually check complete certificate chain? Does the name in certificate match the URL of e-commerce site? Does the user check this? Is the site the one the client thinks it is? Is the client software proposing appropriate ciphersuites? UH, FB Inf, SVS, 18-Okt-04 36

SSL/TLS Applications Secure electronic banking. Client authentication may be enabled using client certificates. Issues: Registration, secure storage of private keys, revocation and re-issue. Otherwise, SSL provides secure channel for sending username, password, mother s maiden name, What else does client use same password for? Does client understand meaning of certificate expiry and other security warnings? Is client software proposing appropriate ciphersuites? Enforce from server. UH, FB Inf, SVS, 18-Okt-04 37 Some SSL/TLS Security Flaws (Historical) flaws in random number generation for SSL. Low quality RNG leads to predictable session keys. Goldberg and Wagner, Dr. Dobb s Journal, Jan. 1996. http://www.ddj.com/documents/s=965/ddj9601h/ Flaws in error reporting. (differing response times by server in event of padding failure and MAC failure) + (analysis of padding method for CBC-mode) = recovery of SSL plaintext. Canvel, Hiltgen, Vaudenay and Vuagnoux, Crypto2003, http://lasecwww.epfl.ch/php_code/publications/search.php?ref=chvv03 Timing attacks. analysis of OpenSSL server response times allows attacker in same LAN segment to derive server s private key! Boneh and Brumley, 12th Usenix Security Symposium, 2003. http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html UH, FB Inf, SVS, 18-Okt-04 38

Win2K UH, FB Inf, SVS, 18-Okt-04 39 Communicating Security to Users (1) UH, FB Inf, SVS, 18-Okt-04 40

Communicating Security to Users (1) UH, FB Inf, SVS, 18-Okt-04 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback