Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Similar documents
Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Secure Socket Layer. Security Threat Classifications

Security Protocols and Infrastructures. Winter Term 2010/2011

CSCE 715: Network Systems Security

Transport Layer Security

Security Protocols and Infrastructures. Winter Term 2015/2016

Security Protocols and Infrastructures

SSL/TLS CONT Lecture 9a

MTAT Applied Cryptography

The SSL Protocol. Version 3.0. Netscape Communications Corporation. Internet Draft March 1996 (Expires 9/96)

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Network Working Group Request for Comments: Category: Standards Track April 2006

TRANSPORT-LEVEL SECURITY

Chapter 5. Transport Level Security

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Chapter 4: Securing TCP connections

Transport Layer Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

CS 356 Internet Security Protocols. Fall 2013

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Internet security and privacy

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

MTAT Applied Cryptography

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

Chapter 12 Security Protocols of the Transport Layer

Request for Comments: Category: Standards Track Independent Consultant J. Mikkelsen Transactionware T. Wright Vodafone April 2006

CS669 Network Security

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 5

Chapter 8 Web Security

Lecture: Transport Layer Security (secure Socket Layer)

Lecture for February 10, 2016

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Authenticated Encryption in TLS

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Auth. Key Exchange. Dan Boneh

Request for Comments: D. Hopwood Independent Consultant J. Mikkelsen Transactionware T. Wright Vodafone June 2003

Interested in learning more about security? SSL/TLS: What's Under the Hood. Copyright SANS Institute Author Retains Full Rights

E-commerce security: SSL/TLS, SET and others. 4.1

TLS Extensions Project IMT Network Security Spring 2004

Cryptography (Overview)

Encryption. INST 346, Section 0201 April 3, 2018

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Transport Level Security

Request for Comments: 2712 Category: Standards Track CyberSafe Corporation October 1999

Internet security and privacy

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

CIS 5373 Systems Security

Introduction to Information Security

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

COSC4377. Chapter 8 roadmap

Internet Engineering Task Force (IETF) Request for Comments: ISSN: January 2012

ecure Sockets Layer, or SSL, is a generalpurpose protocol for sending encrypted

Security analysis of DTLS 1.2 implementations

TLS 1.2 Protocol Execution Transcript

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

TLS connection management & application support. Giuseppe Bianchi

Secure Sockets Layer

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Performance Implications of Security Protocols

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Overview. SSL Cryptography Overview CHAPTER 1

Securing IoT applications with Mbed TLS Hannes Tschofenig

Virtual Private Network

WAP Security. Helsinki University of Technology S Security of Communication Protocols

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

ON THE SECURITY OF TLS RENEGOTIATION

18739A: Foundations of Security and Privacy. SSL/TLS Analysis. Anupam Datta. CMU Fall

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Introduction to Network Security Missouri S&T University CPE 5420 Application and Transport Layer Security

Transport Layer Security

Security Association Creation

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

The IPsec protocols. Overview

VPN Overview. VPN Types

Cryptography and Network Security

Virtual Private Networks

Securing Network Communications

One Year of SSL Internet Measurement ACSAC 2012

Information security.

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

CS 161 Computer Security

Coming of Age: A Longitudinal Study of TLS Deployment

Table of Contents 1 IKE 1-1

CSE509: (Intro to) Systems Security

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

CSCE 715: Network Systems Security

Was ist neu bei TLS 1.3?

SSL Time-Diagram. Second Variant: Generation of an Ephemeral Diffie-Hellman Key

Securely Deploying TLS 1.3. September 2017

Summary on Crypto Primitives and Protocols

Transcription:

T-110.5211 Cryptosystems RFC 2246: Transport Layer Security 1.0 IPsec Outline Transport Layer Security (TLS) 1.0 basics TLS 1.0 specification (RFC 2246) walk-through IPSec and (short) comparison of TLS and IPsec 22.10.2009 Jukka Valkonen Slides based on Sami Vaarala's slides Kaufman et al: Chapters 18 / 19 Stallings: Chapters 16 / 17.2 T-110.5211 Cryptosystems 1 T-110.5211 Cryptosystems 2 Transport Layer Security (TLS) 1.0 Transport Layer Security (TLS) 1.0 basics Background Originally Netscape's SSL for HTTPS, encrypted socket model TLS 1.0 (SSL 3.1) based on SSL 3.0, but details differ somewhat TLS 1.1 available (RFC 4346) but not widely used yet Most implementations are multi-version SSL 2.x/3.0 + TLS 1.0 Main specifications RFC 2246: The TLS Protocol Version 1.0 RFC 3546: Transport Layer Security (TLS) Extensions Typical usages HTTP over TLS (HTTPS, TCP port 443) IMAP, SMTP, POP, LDAP, EAP... Various network management protocols, VPNs, etc Microsoft Secure Socket Tunneling Protocol (SSTP) TLS 1.0 + PPP T-110.5211 Cryptosystems 3 T-110.5211 Cryptosystems 4

More TLS 1.0 related specifications TLS applications RFC 2595: Using TLS with IMAP, POP3 and ACAP RFC 2716: PPP EAP TLS Authentication Protocol RFC 2817: Upgrading to TLS Within HTTP/1.1 RFC 2818: HTTP Over TLS RFC 2830: Lightweight Directory Access Protocol (v3): Extension for TLS RFC 3207: SMTP Service Extension for Secure SMTP over TLS TLS extensions RFC 2712: Addition of Kerberos Cipher Suites to TLS RFC 3268: Advanced Encryption Standard (AES) Ciphersuites for TLS RFC 3436: Transport Layer Security over Stream Control Transmission Protocol RFC 3546: Transport Layer Security (TLS) Extensions RFC 3749: Transport Layer Security Protocol Compression Methods Upper layer service Services provided by TLS Encrypted application data, basically encrypted TCP socket Key exchange (=> 48-byte = 384-bit master secret ) RSA/DSA pre-master secret encrypted by client using pub. key Public key extracted from server certificate Or using a server-supplied max 512-bit RSA key Diffie-Hellman Ephemeral server sends (g, p, gx ), client responds with g Y Certificate-based D-H parameters embedded within certificates Authentication Provides server authentication Client can be authenticated (if client has a certificate) X.509 DSA/RSA certificate-based authentication of server (opt.) X.509 DSA/RSA certificate-based authentication of client (opt.) No password or other legacy authentication, just certificates T-110.5211 Cryptosystems 5 T-110.5211 Cryptosystems 6 Services provided by TLS Data security and compression (symmetric crypto) Block and stream cipher based symmetric encryption MAC-based integrity protection (typically HMAC-{MD5, SHA1}) Security parameters specified using a ciphersuite (next slide) Optional compression Other services Session resumption (optional) to avoid unnecessary handshakes Rekeying = new parameter negotiation & key exchange transparently to application data Ciphersuite specifies TLS ciphersuites Key exchange method e.g. ephemeral D-H Authentication method e.g. RSA signatures Symmetric encryption algorithm e.g. 3DES-EDE-CBC MAC algorithm e.g. HMAC-SHA1 Underlying idea Ciphersuite contains all security-relevant parameters Algorithms in cipher suite are consistent from security perspective Ciphersuite is identified using a single integer Number specified in RFC 2246 and follow-up specifications Not all session parameters contained within a ciphersuite Compression negotiated separately of ciphersuite T-110.5211 Cryptosystems 7 T-110.5211 Cryptosystems 8

TLS protocol layers Transport protocol Typically TCP TLS Record Protocol Encryption and integrity protection, compression Fragmentation of upper layer data Provides 256 logical byte streams for upper layer protocols TLS upper layer protocols, id = 8-bit number (0...255) change_cipher_spec (20) internal alert (21) internal handshake (22) internal application_data (23) exposed to applications Application data (upper layer service) Application data protocol # (= 23) on top of TLS Record Protocol TLS 1.0 specification RFC 2246 T-110.5211 Cryptosystems 9 T-110.5211 Cryptosystems 10 Sect. 1, 2, 3: Introductory RFC 2246 contents Sect. 4: Describing protocol data units Sect. 5: Basic cryptographic constructs Sect. 6: TLS Record Protocol Sect. 7: TLS Handshake Protocol Sect. 8: Cryptographic computations (master secret) Sect. 9, 10: Required cipher suite, handling of application data App. A: Protocol data units App. B, C, D: Terminology, cipher suites, implementation notes App. E, F: Backwards compatibility, security analysis Sections 1, 2, and 3 Defines TLS's role as a protocol Assumptions about underlying transport protocol Goals of the TLS protocol Cryptographic security Interoperability Extensibility Relative efficiency Goals of the TLS specification document Not much information here, but worth a read-through T-110.5211 Cryptosystems 11 T-110.5211 Cryptosystems 12

Section 4 describing protocol data units (1) Basic types Byte (8 bits), big endian (most significant byte first) in network format uint<n>, where N={8,16,24,32,64} Vector (fixed size): T1 is elem type; T2 is a vector of N T1s, size = N * sizeof(t1) (!) E.g. if T1 size is 3 bytes, we have a three element vector: T1 T2[9] E.g. four uint32s: uint32 mytype[16] Vector (variable size): Size is also encoded as N * sizeof(t1) In encoded form, length field precedes data Length of length field? Depends on maxsize, minimum length to represent maxsize E.g. uint16<100..300> => two-byte length field Section 4 describing protocol data units (2) Enumeration: E.g. enum { red(3), blue(5), white(7) } Color Represented as N bytes, where N based on maximum enumeration value E.g. if maximum enumeration value 255 => represent as one byte Last element may be unnamed, and indicate maximum value E.g. enum { red(3), blue(5), (65535) } Color (consumes two bytes, can still only include values 3 or 5) Structure: Like struct in C, reference to field f3 is T.f3 Structure variant: (next slide) E is an enumeration variable, case selected based on it E must be known to sender and receiver; it is not sent In the example, both sender and receiver know CipherSpec.cipher_type Cf. C language union T-110.5211 Cryptosystems 13 T-110.5211 Cryptosystems 14 Section 4 describing protocol data units (3) Section 4 describing protocol data units (4) Generic example of a variant T1 f1; T2 f2;... Tn fn; select (E) { case e1: Te1; case e2: Te2;... case en: Ten; } fv; } T; Concrete example TLSCiphertext ContentType type; ProtocolVersion version; uint16 length; select (CipherSpec.cipher_type) { case stream: GenericStreamCipher; case block: GenericBlockCipher; } fragment; } TLSCiphertext; Cryptographic attributes (Sect. 4.7) Describe how to represent some cryptographic values Uses ASN.1 (DER) partially, e.g. Dss-Sig-Value Special notation (and processing) defined for digitally-signed public-key-encrypted stream-ciphered block-ciphered Constants and assignment; e.g. uint8 f1, uint8 f2 } Example; Example ex1 = {1, 4}; T-110.5211 Cryptosystems 15 T-110.5211 Cryptosystems 16

Section 5 basic cryptographic constructs Cryptographic constructs defined in this section Keyed MAC => HMAC-MD5 & HMAC-SHA1 P_hash (secret, seed) PRF (secret, label, seed) Notation for HMAC HMAC_MD5 (secret, data) (=> 16 bytes) HMAC_SHA1 (secret, data) (=> 20 bytes) The P_hash hash(secret, seed) function Generates an infinitely long bitstream (bytestream) Uses an underlying hash function, e.g. P_MD5, P_SHA1 Actual variable inputs: secret and seed (differentiates streams) Intermediate construct used by the PRF() function Definition of P_hash P_hash (secret, seed) = HMAC_hash (secret, A(1) seed) HMAC_hash (secret, A(2) seed)... Definition of auxiliary function A A(0) = seed A(i) = HMAC_hash (secret, A(i-1)) Generating a bitstream in practice P_hash is iterated in byte blocks (16 or 20 bytes) until required amount of data has been obtained E.g. MD5 => to get 76 bytes, iterate 5 times (5*16=80) and ignore 4 bytes T-110.5211 Cryptosystems 17 T-110.5211 Cryptosystems 18 The PRF(secret, label, seed) function Generates an infinitely long bitstream (bytestream) Uses P_MD5 (secret, seed) and P_SHA1 (secret, seed) as helpers Definition of PRF Split secret to two halves (S1 and S2) Len_S1 = Len_S2 = ceil(secret / 2) S1 = first Len_S1 bytes, S2 = last Len_S2 bytes NB: If secret length is odd, middle byte occurs in both S1 and S2 PRF (secret, label, seed) = P_MD5 (S1, label seed) XOR P_SHA1 (S2, label seed) I.e. bitwise XOR of two infinite bitstreams label = ASCII string, encoding the context in which PRF is used Generating a bitstream in practice Generate required amount of bits from both P_MD5 and P_SHA1, and XOR the results Section 6 Record Protocol Overview TLS stream consists of Records Each record encodes some amount of bytes belonging to some upper layer (TLS internal) protocol, numbered 0...255 Separate framing inside each upper layer protocol; the Record Protocol does not respect boundaries within the upper layer In other words, the upper layer provides multiplexing of 256 distinct byte streams Processing of Records when sending (User) data + content type => TLSPlaintext Compression => TLSCompressed Encryption & MAC => TLSCipherText = final bytes Initially compression, encryption, MAC = identity algorithms Processing of Records when receiving Opposite of sending When decrypting, check integrity T-110.5211 Cryptosystems 19 T-110.5211 Cryptosystems 20

Section 6 Record Protocol Record formats ContentType type; ProtocolVersion version; uint16 length; opaque fragment[tlsplaintext.length]; } TLSPlaintext; ContentType type; ProtocolVersion version; uint16 length; opaque fragment[tlscompressed.length]; } TLSCompressed; ContentType type; ProtocolVersion version; uint16 length; select (CipherSpec.cipher_type) { case stream: GenericStreamCipher; case block: GenericBlockCipher; } fragment; } TLSCiphertext; uint8 major, minor; } ProtocolVersion; Data from upper layer protocol (encoded as ContentType) enum { change_cipher_spec(20), alert(21), handshake(22), application_data(23), (255) } ContentType; (next slides) To the network T-110.5211 Cryptosystems 21 Section 6 Record Protocol Block ciphers block-ciphered opaque content[tlscompressed.length]; opaque MAC[CipherSpec.hash_size]; uint8 padding[genericblockcipher.padding_length]; uint8 padding_length; } GenericBlockCipher; 't' 'e' 's' 't' Compute MAC, add padding (example: 3DES and HMAC-MD5) 't' 'e' 's' 't' mac mac mac mac mac mac mac mac mac mac mac mac mac mac mac mac 3 3 3 3 Padding???????????????????????????????????????????????????????????????????????? Plaintext Encrypt block by block (e.g. 3DES-EDE-CBC) 8-byte blocks (for e.g. 3DES) (= GenericBlockCipher in plaintext) Note: four bytes of 0x03! Encrypted 8-byte blocks (= GenericBlockCipher encrypted) Embedded into TLSCipherText structure T-110.5211 Cryptosystems 22 Section 6 Record Protocol Stream ciphers stream-ciphered opaque content[tlscompressed.length]; opaque MAC[CipherSpec.hash_size]; } GenericStreamCipher; 't' 'e' 's' 't' Plaintext Compute MAC (example: HMAC-MD5) Plaintext + MAC 't' 'e' 's' 't' mac mac mac mac mac mac mac mac mac mac mac mac mac mac mac mac???????????????????????????????????????????????????????????? Keystream XOR bit streams together => encrypted GenericStreamCipher Ciphertext???????????????????????????????????????????????????????????? Section 6 Record Protocol Connection state Conn. state encapsulates params for Record processing Client or server? Encryption, MAC, and compressions algorithms Master secret (48 bytes) Client and server random (32 bytes each) Also contains cryptographic state Client and server write MAC secret Client and server write encryption key Client and server write encryption IV (block ciphers only) Always an active connection state + one being built Handshake protocol builds next connection state change_cipher_spec protocol changes next to current state Initial state uses [encryption = MAC = compression = None] Embedded into TLSCipherText structure T-110.5211 Cryptosystems 23 T-110.5211 Cryptosystems 24

Section 6 Record Protocol Session keys Individual keys extracted from key material generated by key_block = PRF(SecurityParameters.master_secret, key expansion, server_random client_random) The key material is partitioned (in order) as follows: client_write_mac_secret [SecurityParameters.hash_size] server_write_mac_secret [SecurityParameters.hash_size] client_write_key [SecurityParameters.key_material_length] server_write_key [SecurityParameters.key_material_length] client_write_iv [SecurityParameters.IV_size] server_write_iv [SecurityParameters.IV_size] Keys are thus a function of established connection state Master secret in particular Client and server random => fixed Diffie-Hellman keys change Section 6 Record Protocol Fragmentation TLS Record maximum length is 2 14 = 16 kilobytes Ensures that connection is not completely blocked by records from some particular protocol Upper layer protocols define their own records Typically type-length-value encoding for these as well But there is no correspondence between these two types of records, for the TLS Record layer it's simply a byte stream without interpretation In particular... There is no guarantee that upper layer protocol records match 1-1 with TLS Records In fact, it is completely valid, for instance, to fragment upper layer protocols to one-byte TLS Records! (Even so, most implementations send exactly one handshake message per TLS Record) T-110.5211 Cryptosystems 25 T-110.5211 Cryptosystems 26 This section defines all (non-application) TLS 1.0 upper layer protocols change_cipher_spec alert handshake Also describes the handshake sequence What messages to send, when to send, what the messages contain What alternative sequences exist, depending on e.g. key exchange method This is the beef of the specification change_cipher_spec change_cipher_spec protocol usage Sent to notify peer that sender will start to use pending connection state (i.e. a negotiation state just completed using the handshake protocol) Note that in TLS it's possible to re-negotiate security after the initial handshake => rekeying The message format is trivial Consists of one byte (= 0x01) sent using the Record Protocol, ContentType number 20 enum { change_cipher_spec(1), (255) } type; } ChangeCipherSpec; T-110.5211 Cryptosystems 27 T-110.5211 Cryptosystems 28

alert alert protocol usage Sent to notify peer of a protocol error Fatal close connection, warning keep connection The message format is simple ContentType number 21 enum { warning(1), fatal(2), (255) } AlertLevel; enum { close_notify(0), unexpected_message(10), bad_record_mac(20), decryption_failed(21), record_overflow(22), decompression_failure(30), handshake_failure(40), bad_certificate(42), unsupported_certificate(43), certificate_revoked(44), certificate_expired(45), certificate_unknown(46), illegal_parameter(47), unknown_ca(48), access_denied(49), decode_error(50), decrypt_error(51), export_restriction(60), protocol_version(70), insufficient_security(71), internal_error(80), user_canceled(90), no_renegotiation(100), (255) } AlertDescription; AlertLevel level; AlertDescription description; } Alert; handshake overview Handshake protocol has its own framing format Each msg_type has its own format enum { hello_request(0), client_hello(1), server_hello(2), certificate(11), server_key_exchange (12), certificate_request(13), server_hello_done(14), certificate_verify(15), client_key_exchange(16), finished(20), (255) } HandshakeType; HandshakeType msg_type; /* handshake type */ uint24 length; /* bytes in message */ select (HandshakeType) { case hello_request: HelloRequest; case client_hello: ClientHello; case server_hello: ServerHello; case certificate: Certificate; case server_key_exchange: ServerKeyExchange; case certificate_request: CertificateRequest; case server_hello_done: ServerHelloDone; case certificate_verify: CertificateVerify; case client_key_exchange: ClientKeyExchange; case finished: Finished; } body; } Handshake; T-110.5211 Cryptosystems 29 T-110.5211 Cryptosystems 30 Client ClientHello handshake sequence overview Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished Application Data Server ServerHello Certificate* ServerKeyExchange* CertificateRequest* ServerHelloDone [ChangeCipherSpec] Finished Application Data * Indicates optional or situation-dependent messages that are not always sent. T-110.5211 Cryptosystems 31 hello exchange Client initiates with client hello, server responds Version, ciphersuite & compr. method negotiation (server picks) Session resumption client may send a preferred session id Exchange of client_random and server_random (=> key derivation) uint8 CipherSuite[2]; /* Cryptographic suite selector */ enum { null(0), (255) } CompressionMethod; CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 }; ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites<2..2^16-1>; CompressionMethod compression_methods<1..2^8-1>; } ClientHello; ProtocolVersion server_version; Random random; SessionID session_id; CipherSuite cipher_suite; CompressionMethod compression_method; } ServerHello; T-110.5211 Cryptosystems 32

server's part opaque ASN.1Cert<1..2^24-1>; ASN.1Cert certificate_list<0..2^24-1>; } Certificate; opaque dh_p<1..2^16-1>; opaque dh_g<1..2^16-1>; opaque dh_ys<1..2^16-1>; } ServerDHParams; /* Ephemeral DH parameters */ select (KeyExchangeAlgorithm) { case diffie_hellman: ServerDHParams params; Signature signed_params; case rsa: ServerRSAParams params; Signature signed_params; }; } ServerKeyExchange; } ServerHelloDone; Server's part of the handshake ServerHello Certificate ServerKeyExchange (CertificateRequest) ServerHelloDone CertificateRequest Only sent if mutual certificate authentication used client's part opaque ASN.1Cert<1..2^24-1>; ASN.1Cert certificate_list<0..2^24-1>; } Certificate; select (PublicValueEncoding) { case implicit: }; case explicit: opaque dh_yc<1..2^16-1>; } dh_public; } ClientDiffieHellmanPublic; select (KeyExchangeAlgorithm) { case rsa: EncryptedPreMasterSecret; case diffie_hellman: ClientDiffieHellmanPublic; } exchange_keys; } ClientKeyExchange; opaque verify_data[12]; // truncated hash } Finished; // ensuring keys OK Client's part of the handshake (Certificate) ClientKeyExchange (CertificateVerify) [ChangeCipherSpec] Finished (encrypted!) CertificateVerify Only sent if mutual certificate auth used ChangeCipherSpec Not actually part of the handshake protocol T-110.5211 Cryptosystems 33 T-110.5211 Cryptosystems 34 server's finish up Server finishes up by sending [ChangeCipherSpec] Finished (encrypted) The Finished messages ensure key exchange was OK Contains a 12-byte (96-bit) truncated hash, which ensures that both parties agree on what happened in the handshake Diffie-Hellman security still based on server certificate and signature Data for Finished is computed as PRF( master_secret, finished_label, MD5(handshake_msgs) SHA-1(handshake_msgs) ) [0..11] finished_label = client finished or server finished I.e. both MD5 and SHA-1 over a transcript of handshake msgs Section 8 Cryptographic computations Master secret = end result of key exchange; two steps 1. Generate pre_master_secret (length varies) Key exchange specific 2. Generate master_secret (48 bytes) from pre_master_secret Independent of key exchange Formula for computing master_secret: master_secret = PRF( [0..47] pre_master_secret, "master secret", ClientHello.random ServerHello.random ) T-110.5211 Cryptosystems 35 T-110.5211 Cryptosystems 36

Section 8 Cryptographic computations RSA RSA-based key exchange Client generates 48-byte pre_master_secret Use true random or cryptographic pseudo random Client encrypts pre_master_secret using server's public key Either the public key in the certificate, or if using export mode, using the (max) 512- bit public key sent by server Both parties compute master_secret as shown in previous slide RSA computation details (padding types) RSA digital signatures done using PKCS #1 block type 1 (or 0) RSA public key encryption done using PKCS #1 block type 2 Section 8 Cryptographic computations Diffie-Hellman Diffie-Hellman key exchange Conventional Diffie-Hellman computed by both parties If ephemeral, using server-specified D-H group If certificate-based, use fixed D-H certificates The resulting negotiated key is used as pre_master_secret I.e. result interpreted as a big number (byte array in big endian order), leading zeros removed For instance, if using 1024-bit D-H group, pre_master_secret is typically 1024/8 = 128 bytes long However, in some cases (less than 0,4%) it will be 127 bytes long, or even shorter Certificate-based Diffie-Hellman The pre_master_secret will be the same for each negotiation But master_secret formula mixes in client and server random, and will thus generate varying session keys T-110.5211 Cryptosystems 37 T-110.5211 Cryptosystems 38 Sections 9 and 10... No need to summarize, here's what they say: 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. 10. Application data protocol Application data messages are carried by the Record Layer and are fragmented, compressed and encrypted based on the current connection state. The messages are treated as transparent data to the record layer. Appendices Appendix A: Protocol data units All protocol data definitions in one place Appendix B: Terminology Definitions for terms, not very interesting Appendix C: Cipher suites Cipher suite details Appendix D: Implementation notes Some implementation notes, not very useful Appendix E: Backwards compatibility Compatibility with SSL 3.0 and 2.x Appendix F: Security analysis An interesting read through, not very useful T-110.5211 Cryptosystems 39 T-110.5211 Cryptosystems 40

RFC 2246 contents recap Sect. 1, 2, 3: Introductory Sect. 4: Describing protocol data units Sect. 5: Basic cryptographic constructs PRF Sect. 6: TLS Record Protocol Session key Sect. 7: TLS Handshake Protocol Beef Sect. 8: Cryptographic computations (master secret) D-H & RSA Sect. 9, 10: Required cipher suite, handling of application data App. A: Protocol data units App. B, C, D: Terminology, cipher suites, implementation notes App. E, F: Backwards compatibility, security analysis IPsec T-110.5211 Cryptosystems 41 T-110.5211 Cryptosystems 42 Overview of IPSec IP level packet-based encryption Provides Authentication (AH), encryption (ESP) or both (ESP) AH provides integrity, ESP confidentiality (and integrity) ESP with NULL-encryption does basically the same as AH ESP Encryption MUST NULL [RFC2410] MUST AES-CBC with 128-bit keys [RFC3602] MUST- TripleDES-CBC [RFC2451] SHOULD AES-CTR [RFC3686] SHOULD NOT DES-CBC [RFC2405] T-110.5211 Cryptosystems 43 IPSec Keying (IKE) IPSec uses Internet Key Exchange (IKE) Two phases First phase: Mutual authentication and key exchange Second phase: Creation of Security Associations (SA) Encryption methods, sequence numbers,... Key exchange Two modes: aggressive and main mode Aggressive mode creates a session key in three messages Main mode creates keys in six messages More flexible, more functionality Aggressive mode: Alice->Bob: identity, proposal for cryptographic algorithm, public D-H key Bob->Alice: identity, selected algorithm, public D-H key, proof of identity Alice->Bob: proof of identity (Alice's) Mutual authentication based on long term key Pre-shared secret Public signature-only key Public encryption key T-110.5211 Cryptosystems 44

IPSec Keying (Aggressive mode) Alice->Bob: crypto suites I support Bob->Alice: crypto suite I choose Alice->Bob: D-H public key Bob->Alice: D-H public key Alice->Bob: Identity, proof of identity (Encrypted) Bob->Alice: Identity, proof of identity (Encrypted) TLS versus IPsec T-110.5211 Cryptosystems 45 T-110.5211 Cryptosystems 46 Comparing TLS to IPsec Basic differences in application TLS secures streams, IPsec secures packets TLS relies on a transport layer, while IPsec works as part of IP Key exchange Protocol details differ, but the idea is the same IPsec: Bulk encryption (ESP/AH) separated from key exchange (IKE) IPsec uses authenticated Diffie-Hellman, like TLS RSA / DSA signatures, pre-shared key; legacy authentication IPsec bulk encryption IPsec has to deal with packet loss IPsec packets are also numbered to deal with replays Algorithms similar, e.g. 3DES + HMAC-SHA1-96 (truncated hash) Compression Compression not built-in part of IPsec, but IPcomp often used Other Remember: No lecture next week (exam period) Next lecture Wed 4.11. at 10:15 in T1 DL for 2 nd assignment next Monday at noon 3 rd assignment published DL Nov 9 th Results for assignments are to be published in Noppa T-110.5211 Cryptosystems 47 T-110.5211 Cryptosystems 48

Summary Transport Layer Security (TLS) 1.0 basics TLS 1.0 specification (RFC 2246) walk-through Comparison to IPsec T-110.5211 Cryptosystems 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback