Securing Internet Communication: TLS

Similar documents
Securing Internet Communication

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Information Security CS 526

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS 161 Computer Security

CS 161: Cats and Penguins Midterm 2 Review

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

CS 494/594 Computer and Network Security

Real-time protocol. Chapter 16: Real-Time Communication Security

Cryptographic Protocols 1

Chapter 4: Securing TCP connections

Computer Networks. Wenzhong Li. Nanjing University

Encryption. INST 346, Section 0201 April 3, 2018

Crypto meets Web Security: Certificates and SSL/TLS

CS Computer Networks 1: Authentication

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

David Wetherall, with some slides from Radia Perlman s security lectures.

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

1.264 Lecture 28. Cryptography: Asymmetric keys

CS November 2018

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Spring 2010: CS419 Computer Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

CS 161 Computer Security

Authentication Handshakes

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

PROVING WHO YOU ARE TLS & THE PKI

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

CSC 474/574 Information Systems Security

CS 161 Computer Security

Distributed System Security

Lecture 7 - Applied Cryptography

CS 161 Computer Security

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Proving who you are. Passwords and TLS

CS 161 Computer Security

Linux Network Administration

Progressively Securing RIOT-OS!

CSC/ECE 774 Advanced Network Security

Security Handshake Pitfalls

(2½ hours) Total Marks: 75

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 9: Key Management

Diffie-Hellman. Part 1 Cryptography 136

UNIT - IV Cryptographic Hash Function 31.1

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

CSC 774 Network Security

On the Internet, nobody knows you re a dog.

Cryptography (Overview)

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Security Handshake Pitfalls

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Public-Key Infrastructure NETS E2008

Security in ECE Systems

CSCE 715: Network Systems Security

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CS 161 Computer Security

14. Internet Security (J. Kurose)

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

More on DNS and DNSSEC

Transport Level Security

Transport Layer Security

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Network Security Chapter 8

PROTECTING CONVERSATIONS

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

CSE 127: Computer Security Network Security. Kirill Levchenko

Today s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice

Introduction and Overview. Why CSCI 454/554?

CS 161 Computer Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Endpoint Security - what-if analysis 1

Overview. SSL Cryptography Overview CHAPTER 1

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Kurose & Ross, Chapters (5 th ed.)

CSC 8560 Computer Networks: Network Security

Summary on Crypto Primitives and Protocols

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Authentication and Key Distribution

Computer Communication Networks Network Security

Transcription:

Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016

Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases for crypto: Sealed blob : Data that is encrypted and authenticated under a particular key Secure channel: Communication channel that can t be eavesdropped on or tampered with Today: SSL a secure channel

Today s Lecture Goal #1: overview of SSL/TLS, the most prominent Internet security protocol Secures the web via HTTPS Goal #2: cement understanding of crypto building blocks & how they re used together

Building Secure End-to-End Channels End-to-end = communication protections achieved all the way from originating client to intended server With no need to trust intermediaries Dealing with threats: Eavesdropping? Encryption (including session keys) Manipulation (injection, MITM)? Integrity (use of a MAC); replay protection Impersonation? Signatures ( What s missing? ) Availability

Building A Secure End-to-End Channel: SSL/TLS SSL = Secure Sockets Layer (predecessor) TLS = Transport Layer Security (standard) Both terms used interchangeably Security for any application that uses TCP Secure = encryption/confidentiality + integrity + authentication (of server, but not of client) E.g., puts the s in https

Regular web surfing - http: URL But if we click here

Web surfing with TLS/SSL - https: URL Note: Amazon makes sure that all of these images, etc., are now also fetched via https: URLs. Doing so gives the web page full integrity, in keeping with end-to-end security. (Browsers do not provide this promotion automatically.)

Basic idea Browser (client) picks some symmetric keys for encryption + authentication Client sends them to server, encrypted using RSA publickey encryption Both sides send MACs Now they use these keys to encrypt and authenticate all subsequent messages, using symmetric-key crypto Browser E KA (keys) MAC k1 ( ) MAC k2 ( ) E k3 (message), MAC k1 ( ) Amazon Server

HTTPS Connection (SSL / TLS) Browser (client) connects to Amazon s HTTPS server Client picks 256-bit random number R B, sends over list of crypto algorithms it supports Browser Amazon Server Server picks 256-bit random number R S, selects algorithms to use for this session Server sends over its certificate (all of this is in the clear) Client now validates cert Hello. My rnd # = R B. I support (TLS+RSA+AES128+SHA1) or (SSL+RSA+3DES+MD5) or My rnd # = R S. Let s use TLS+RSA+AES128+SHA1 Here s my cert ~2-3 KB of data

HTTPS Connection (SSL / TLS) Browser (client) connects via Browser TCP to Amazon s HTTPS server Client picks 256-bit random number R B, sends over list of crypto protocols it supports Server picks 256-bit random number R S, selects protocols to use for this session Server sends over its certificate (all of this is in the clear) Client now validates cert SYN SYN ACK ACK Amazon Server Hello. My rnd # = R B. I support (TLS+RSA+AES128+SHA1) or (SSL+RSA+3DES+MD5) or My rnd # = R S. Let s use TLS+RSA+AES128+SHA1 Here s my cert ~2-3 KB of data

HTTPS Connection (SSL / TLS), cont. For RSA, browser constructs Premaster Secret PS Browser sends PS encrypted using Amazon s public RSA key K Amazon Using PS, R B, and R S, browser & server derive symm. cipher keys (C B, C S ) & MAC integrity keys (I B, I S ) One pair to use in each direction Browser PS Here s my cert ~2-3 KB of data {PS} K Amazon Amazon Server PS

HTTPS Connection (SSL / TLS), cont. For RSA, browser constructs Premaster Secret PS Browser sends PS encrypted using Amazon s public RSA key K Amazon Using PS, R B, and R S, browser & server derive symm. cipher keys (C B, C S ) & MAC integrity keys (I B, I S ) One pair to use in each direction Browser PS Here s my cert ~2-3 KB of data {PS} K Amazon Amazon Server PS These seed a cryptographically strong pseudo-random number generator (PRNG). Then browser & server produce C B, C S, etc., by making repeated calls to the PRNG.

HTTPS Connection (SSL / TLS), cont. For RSA, browser constructs Premaster Secret PS Browser sends PS encrypted using Amazon s public RSA key K Amazon Using PS, R B, and R S, browser & server derive symm. cipher keys (C B, C S ) & MAC integrity keys (I B, I S ) One pair to use in each direction Browser & server exchange MACs computed over entire dialog so far If good MAC, Browser displays All subsequent communication encrypted w/ symmetric cipher (e.g., AES128) cipher keys, MACs Sequence # s thwart replay attacks Browser PS Here s my cert ~2-3 KB of data {PS} K Amazon MAC(dialog,I B ) MAC(dialog,I S ) {M 1, MAC(M 1,I B )} CB {M 2, MAC(M 2,I S )} CS Amazon Server PS

Alternative: Key Exchange via Diffie-Hellman For Diffie-Hellman, server generates random a, sends public params and g a mod p Signed with server s private key Browser verifies signature Browser generates random b, computes PS = g ab mod p, sends to server Server also computes PS = g ab mod p Remainder is as before: from PS, R B, and R S, browser & server derive symm. cipher keys (C B, C S ) and MAC integrity keys (I B, I S ), etc Browser PS Here s my cert ~2-3 KB of data g b mod p MAC(dialog,I B ) MAC(dialog,I S ) {M 1, MAC(M 1,I B )} CB Amazon Server {g, p, g a mod p} K -1Amazon PS

HTTPS Connection (SSL / TLS) Browser (client) connects via Browser TCP to Amazon s HTTPS server Client picks 256-bit random number R B, sends over list of crypto protocols it supports Server picks 256-bit random number R S, selects protocols to use for this session Server sends over its certificate (all of this is in the clear) Client now validates cert SYN SYN ACK ACK Hello. My rnd # = R B. I support (TLS+RSA+AES128+SHA1) or (SSL+RSA+3DES+MD5) or My rnd # = R S. Let s use TLS+RSA+AES128+SHA1 Here s my cert ~2-3 KB of data Amazon Server

Certificates Cert = signed statement about someone s public key Note that a cert does not say anything about the identity of who gives you the cert It simply states a given public key K Bob belongs to Bob and backs up this statement with a digital signature made using a different public/private key pair, say from Verisign Bob then can prove his identity to you by you sending him something encrypted with K Bob which he then demonstrates he can read or by signing something he demonstrably uses Works provided you trust that you have a valid copy of Verisign s public key and you trust Verisign to use prudence when she signs other people s keys

Validating Amazon s Identity Browser compares domain name in cert w/ URL Note: this provides an end-to-end property (as opposed to say a cert associated with an IP address) Browser accesses separate cert belonging to issuer These are hardwired into the browser and trusted! There could be a chain of these Browser applies issuer s public key to verify signature S, obtaining hash of what issuer signed Compares with its own SHA-1 hash of Amazon s cert Assuming hashes match, now have high confidence it s indeed Amazon assuming signatory is trustworthy = assuming didn t lose private key; assuming didn t sign thoughtlessly

End-to-End Powerful Protections Attacker runs a sniffer to capture our WiFi session? (maybe by breaking crummy WEP security) But: encrypted communication is unreadable No problem! DNS cache poisoning? Client goes to wrong server But: detects impersonation No problem! Attacker hijacks our connection, injects new traffic But: data receiver rejects it due to failed integrity check No problem!

Powerful Protections, cont. DHCP spoofing? Client goes to wrong server But: detects impersonation No problem! Attacker manipulates routing to run us by an eavesdropper or take us to the wrong server? But: they can t read; we detect impersonation No problem! Attacker slips in as a Man In The Middle? But: they can t read, they can t inject They can t even replay previous encrypted traffic No problem!

Validating Amazon s Identity, cont. Browser retrieves cert belonging to the issuer These are hardwired into the browser and trusted! What if browser can t find a cert for the issuer?

Validating Amazon s Identity, cont. Browser retrieves cert belonging to the issuer These are hardwired into the browser and trusted! What if browser can t find a cert for the issuer? If it can t find the cert, then warns the user that site has not been verified Can still proceed, just without authentication Q: Which end-to-end security properties do we lose if we incorrectly trust that the site is whom we think? A: All of them! Goodbye confidentiality, integrity, authentication Active attacker can read everything, modify, impersonate

SSL / TLS Limitations Properly used, SSL / TLS provides powerful endto-end protections So why not use it for everything?? Issues: Cost of public-key crypto (fairly minor) o Takes non-trivial CPU processing (but today a minor issue) o Note: symmetric key crypto on modern hardware is non-issue Hassle of buying/maintaining certs (fairly minor)

SSL / TLS Limitations Properly used, SSL / TLS provides powerful endto-end protections So why not use it for everything?? Issues: Cost of public-key crypto (fairly minor) o Takes non-trivial CPU processing (but today a minor issue) o Note: symmetric key crypto on modern hardware is non-issue Hassle of buying/maintaining certs (fairly minor) Integrating with other sites that don t use HTTPS Latency: extra round trips 1 st page slower to load

SSL / TLS Limitations, cont. Problems that SSL / TLS does not take care of? TCP-level denial of service SYN flooding RST injection o (but does protect against data injection!) SQL injection / XSS / server-side coding/logic flaws Vulnerabilities introduced by server inconsistencies

SSL / TLS Limitations, cont. Problems that SSL / TLS does not take care of? SQL injection / XSS / server-side coding/logic flaws Vulnerabilities introduced by server inconsistencies

Regular web surfing: http: URL So no integrity - a MITM attacker can alter pages returned by server And when we click here attacker has changed the corresponding link so that it s ordinary http rather than https! We never get a chance to use TLS s protections! :-( sslstrip attack

SSL / TLS Limitations, cont. Problems that SSL / TLS does not take care of? SQL injection / XSS / server-side coding/logic flaws Vulnerabilities introduced by server inconsistencies Browser coding/logic flaws User flaws Weak passwords Phishing Issues of trust

TLS/SSL Trust Issues User has to make correct trust decisions

The equivalent as seen by most Internet users: (note: an actual Windows error message!)

TLS/SSL Trust Issues, cont. Commercial certificate authorities protect you from anyone from whom they are unwilling to take money. Matt Blaze, circa 2001 So how many CAs do we have to worry about, anyway?

TLS/SSL Trust Issues Commercial certificate authorities protect you from anyone from whom they are unwilling to take money. Matt Blaze, circa 2001 So how many CAs do we have to worry about, anyway? Of course, it s not just their greed that matters

This appears to be a fully valid cert using normal browser validation rules. Only detected by Chrome due to its recent introduction of cert pinning requiring that certs for certain domains must be signed by specific CAs rather than any generally trusted CA

TLS/SSL Trust Issues Commercial certificate authorities protect you from anyone from whom they are unwilling to take money. Matt Blaze, circa 2001 So how many CAs do we have to worry about, anyway? Of course, it s not just their greed that matters and it s not just their diligence & security that matters A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much. - Matt Blaze, circa 2010

BONUS SLIDES

Note: the cert is forged in the sense that it doesn t really belong to Gmail, PayPal, or whomever. But it does not appear forged because it includes a legitimate signature from a trusted CA.

Securing DNS Lookups Topic for next time: How can we ensure that when clients look up names with DNS, they can trust the answers they receive?

Think about these before Friday Problem 1. We have a database D = {d 1, d 2,, d n } of strings. A client anywhere in the world wants to be able to query it with a string s and determine whether s D; if the answer is yes, client should get a proof of this fact. We want to store copies of D on untrusted mirror servers. How do we do it securely? Problem 2. Same as Problem 1, but now if the answer is no, we also want a proof of that fact. How do we do it securely?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback