CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Similar documents
CSCE 715: Network Systems Security

Secure Socket Layer. Security Threat Classifications

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Transport Layer Security

Chapter 5. Transport Level Security

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

TRANSPORT-LEVEL SECURITY

MTAT Applied Cryptography

CS 356 Internet Security Protocols. Fall 2013

Chapter 8 Web Security

E-commerce security: SSL/TLS, SET and others. 4.1

Transport Level Security

Chapter 4: Securing TCP connections

Security Protocols and Infrastructures. Winter Term 2010/2011

Internet security and privacy

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Transport Layer Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

ecure Sockets Layer, or SSL, is a generalpurpose protocol for sending encrypted

Security Protocols and Infrastructures. Winter Term 2015/2016

Lecture for February 10, 2016

Overview. SSL Cryptography Overview CHAPTER 1

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

CS669 Network Security

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Security Protocols and Infrastructures

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Chapter 12 Security Protocols of the Transport Layer

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

MTAT Applied Cryptography

(2½ hours) Total Marks: 75

Lecture: Transport Layer Security (secure Socket Layer)

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Cryptography and Network Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

The SSL Protocol. Version 3.0. Netscape Communications Corporation. Internet Draft March 1996 (Expires 9/96)

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

SSL/TLS CONT Lecture 9a

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Cryptography and Network Security

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

L13. Reviews. Rocky K. C. Chang, April 10, 2015

TLS Extensions Project IMT Network Security Spring 2004

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Cryptography (Overview)

CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks

Transport Layer Security

Performance Implications of Security Protocols

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

TLS 1.2 Protocol Execution Transcript

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Introduction to Network Security Missouri S&T University CPE 5420 Application and Transport Layer Security

AIR FORCE INSTITUTE OF TECHNOLOGY

CSCE 715: Network Systems Security

8. Network Layer Contents

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Authenticated Encryption in TLS

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Chapter 8 Network Security

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Configuring Secure Socket Layer HTTP

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Configuring Secure Socket Layer HTTP

Copyright Institute for Applied Information Processing and Communications, Graz University of Technology

Encryption. INST 346, Section 0201 April 3, 2018

Chapter 6: Security of higher layers. (network security)

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Cryptographic Concepts

COSC4377. Chapter 8 roadmap

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

TLS1.2 IS DEAD BE READY FOR TLS1.3

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Findings for

Pretty Good Privacy (PGP

HP Instant Support Enterprise Edition (ISEE) Security overview

Configuring Secure Socket Layer HTTP

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CS 161 Computer Security

Message authentication codes

CIS 4360 Secure Computer Systems Symmetric Cryptography

TLS authentication using ETSI TS and IEEE certificates

Network Security Chapter 8

Transcription:

CS 393 Network Security Nasir Memon Polytechnic University Module 12 SSL

Course Logistics HW 4 due today. HW 5 will be posted later today. Due in a week. Group homework. DoD Scholarships? NSF Scholarships? Read Chapter 7 Section 2 of text for SSL. 4/4/02 Module 12 - SSL 2

Where do we provide security? Firewall Application layer S-MIME, PGP, Kerberos etc. Transport layer SSL, TSL Network layer VPN s, IPSEC 4/4/02 Module 12 - SSL 3

Transport Layer Security HTTP HTTP / FTP / SMTP / etc SSL TCP TCP IP IP Standard TCP/IP Protocol Suite SSL Implementation 4/4/02 Module 12 - SSL 4

Secure Sockets Layer (SSL) Platform and Application Independent Operates between application and transport layers Web Applications HTTP NNTP FTP Telnet Etc. New Apps SSL TCP/IP 4/4/02 Module 12 - SSL 5

SSL over TCP over IP IP Header IP Data TCP Header TCP Data Src Dst Type: TCP Src Port Dst Port Seq Num TLS TLS Payload Encrypted Application Data 4/4/02 Module 12 - SSL 6

SSL Secure Socket Layer Protocol Designed by Netscape - 93. Current version 3. Provides privacy and reliability between two communicating applications (Focus on Web). Requires reliable transport protocol (TCP). Only protects data in transit. Limited by cryptographic tools it uses. Does not provide non-repudiation or traffic flow confidentiality. Now with IETF Transport Layer Security (TLS). 4/4/02 Module 12 - SSL 7

SSL History 95 96 99 Initial Design SSL v2.0 SSLRef 2.0 SSL BOF @ IETF SSL v3.0 SSL BOF II @ IETF TLS Draft TLS v1.0 Independent Implementations Hardware, Toolkits, Applications 4/4/02 Module 12 - SSL 8

SSL - Secure Socket Layer Protocol A server running SSL provides Confidentiality Integrity Authenticity SSL is designed to operate in a number of different modes, depending on the requirement of the network connection Encrypted communication only Encryption and authentication of the server Encryption and authentication of client and server 4/4/02 Module 12 - SSL 9

SSL - Overview Two layers of protocols. Establishes peer-to-peer session which could consist of multiple connections. 4/4/02 Module 12 - SSL 10

SSL Record Protocol. Provides confidentiality and message integrity services. Fragment Blocks of 2 14 bytes. MAC HMAC like, using SHA-1 or MD5. Encrypt DES, 3DES, IDEA, RC4, RC5, with different key lengths. Compress none. 4/4/02 Module 12 - SSL 11

SSL Record Format Type: Which higher layer protocol. Only one type in each message. Major, Minor version SSL version. Length of message 4/4/02 Module 12 - SSL 12

SSL Handshake Protocol. Allows server and client to authenticate one another and establish security parameters. Consists of following phases: Establish security capabilities. Server authentication and key exchange. Client authentication and key exchange. Finish. Message format Type Length Content 1 byte 3 bytes >= 0 bytes 4/4/02 Module 12 - SSL 13

SSL Alert Protocol Alert Protocol Used for SSL related alert and error messages Level 1 byte Alert 1 byte Messages include: unexpected_message, bad_record_mac, handshake_failure, illegal_parameter, bad_certificate etc. 4/4/02 Module 12 - SSL 14

SSL - Cipher Change Spec Protocol Causes pending state to be copied into current state. Why separate protocol? 1 1 byte Because of Record Layer encapsulation. Security services (eg. Encryption) applied to all of Record Layer Message at once. Hence cipher change cannot be mixed with other messages. Separate protocol ensures above condition. 4/4/02 Module 12 - SSL 15

SSL Example Exchange INTERNET THE SSL PROTOCOL DEFINES VARIOUS MESSAGE TYPES EXCHANGED BETWEEN CLIENT AND SERVER 4/4/02 Module 12 - SSL 16

SSL Cipher Suite For public-key, symmetric encryption and certificate verification we need public-key algorithm symmetric encryption algorithm message digest (hash) algorithm This collection is called a cipher suite SSL supports many different suites Client and server must decide on which one to use The client offers a choice; the server picks one. 4/4/02 Module 12 - SSL 17

SSL- Encryption Techniques Block Cipher Stream Cipher Algorithm Key Size Algorithm Key Size IDEA 128 RC4-40 40 RC2-40 40 RC4-128 128 DES-40 40 DES 56 3DES 168 Fortezza 80 4/4/02 Module 12 - SSL 18

SSL- Message Authentication Code hash(mac_write_secret pad_2 hash(mac_write_secret pad_1 seq_num SSL Compressed.type SSLCompressed.length SSLCompressed.fragment)) where MAC_write_secret = shared secret key hash = cryptographic hash algorithm; either MD5 or SHA-1 pad_1= the byte 0x36(0011 0110)repeated 48*(384 bits) for MD5 and 40*(320 bits) for SHA-1 pad_2= the byte 0x5C (0101 1100) repeated 48*for MD5 and 40*for SHA-1 seq_num = the sequence number for this message SSLCompressed.type = the higher-level protocol used to process this fragment SSLCompressed.length = the length of the compressed fragment SSLCompressed.fragment = the compressed fragment(if compression is not used, the plaintext fragment) 4/4/02 Module 12 - SSL 19

Example Cipher Suites SSL_NULL_WITH_NULL_NULL = { 0, 0 } INITIAL (NULL) CIPHER SUITE PUBLIC-KEY ALGORITHM SYMMETRIC ALGORITHM HASH ALGORITHM SSL_RSA_WITH_NULL_MD5 = { 0, 1 } SSL_RSA_WITH_NULL_SHA = { 0, 2 } SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 } SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 } SSL_RSA_WITH_RC4_128_SHA = { 0, 5 } SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 } SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 } SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 } SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 } SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 } CIPHER SUITE CODES USED IN SSL MESSAGES 4/4/02 Module 12 - SSL 20

SSL Encryption Premaster secret Created by client; used to seed calculation of encryption parameters Very simple: 2 bytes of SSL version + 46 random bytes Sent encrypted to server using server s public key Master secret Generated by both parties from premaster secret and random values generated by both client and server Key material Generated from the master secret and shared random values Encryption keys Extracted from the key material 4/4/02 Module 12 - SSL 21

Forming the Master Secret SERVER S PUBLIC KEY IS SENT BY SERVER IN ServerKeyExchange CLIENT GENERATES THE PREMASTER SECRET ENCRYPTS WITH PUBLIC KEY OF SERVER CLIENT SENDS PREMASTER SECRET IN ClientKeyExchange SENT BY CLIENT IN ClientHello SENT BY SERVER IN ServerHello MASTER SECRET IS 3 MD5 HASHES CONCATENATED TOGETHER = 384 BITS 4/4/02 Module 12 - SSL 22

Forming the Key Material JUST LIKE FORMING THE MASTER SECRET EXCEPT THE MASTER SECRET IS USED HERE INSTEAD OF THE PREMASTER SECRET... 4/4/02 Module 12 - SSL 23

Obtaining Keys from the Key Material SECRET VALUES INCLUDED IN MESSAGE AUTHENTICATION CODES SYMMETRIC KEYS INITIALIZATION VECTORS FOR DES CBC ENCRYPTION SOURCE: THOMAS, SSL AND TLS ESSENTIALS 4/4/02 Module 12 - SSL 24

SSL- Handshake Protocol The handshake protocol is used before any application data is transmitted. Message Type hello_request client_hello server_hello certificate server_key_exchange certificate_request server_done certificate_verify client_key_exchange finished Parameters null version, random, session id, cipher suite, compression method version, random, session id, cipher suite, compression method chain of X.509v3 certificates parameters, signature type, authorities null signature parameters, signature hash value 4/4/02 Module 12 - SSL 25

SSL Handshake if it has one SYMMETRIC ASYMMETRIC ASYMMETRIC SYMMETRIC SECURETRANSMISSION BEGINS HERE 4/4/02 Module 12 - SSL 26

SSL- Hello Parameters Session ID: An arbitrary byte sequence chosen by the server to identify an active or resumable session state Could be created by using Diffie-Hellman. Or by the hash of the shared secret and salt. Peer certificate: An X509.v3 certificate of the peer. This element of the state may be null. Compression method: The algorithm used. Cipher spec: Specifies the bulk data encryption algorithm (such as null, DES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic attributes such as the hash_size. 4/4/02 Module 12 - SSL 27

SSL Messages OFFER CIPHER SUITE MENU TO SERVER CLIENT SIDE SERVER SIDE SELECT A CIPHER SUITE SEND CERTIFICATE AND CHAIN TO CA ROOT SEND PUBLIC KEY TO ENCRYPT SYMM KEY SEND ENCRYPTED SYMMETRIC KEY SERVER NEGOTIATION FINISHED ACTIVATE ENCRYPTION CLIENT PORTION DONE ( CLIENT CHECKS OPTIONS ) NOW THE PARTIES CAN USE SYMMETRIC ENCRYPTION ( SERVER CHECKS OPTIONS ) ACTIVATESERVER ENCRYPTION SERVER PORTION DONE 4/4/02 Module 12 - SSL 28

Encryption and authentication of server - Making a purchase from Barnes & Nobles Server sends ServerKeyExchange along with Server Certificate Server 2. Server Hello 3. Server Certificate 4. Server Hello Done 1. Client Hello 5. Client Key Exchange 6. Change Cipher Spec 7. Finished Client 8. Change Cipher Spec 9. Finished 4/4/02 Module 12 - SSL 29

SSL- Other Modes Encryption and authentication of both the client and server Both client and server send certificates. Encrypted Communication only No certificates are sent. ServerKeyExchange replaces server certificate in the 3rd step. 4/4/02 Module 12 - SSL 30

SSL: Attacks - Man-in-the-Middle attack Client Attacker Server V2 ClientHello (with v3 hints) V2 ServerHello V2 ClientHello (hints removed) V2 ServerHello 4/4/02 Module 12 - SSL 31

SSL- Detection of Man-in-the-Middle attack: Duel version client uses special padding values in the ClientKeyExchange message. It sets the last 8 bytes to 00000011 If the server finds this value, then an attack is occurring. Note: Attacker will not be able to modify this value as it is encrypted with server s public key. 4/4/02 Module 12 - SSL 32

SSL: Traffic Analysis Attacks Attacker may learn a lot about the target just by observing the traffic to and from that target, even if he/she cannot decrypt it. SSL only provides padding for block ciphers and not stream ciphers. So when SSL uses stream ciphers for encryption, an attacker can easily find the size of the unencrypted data. All he has to do is subtract the size of the MAC from the encrypted message. 4/4/02 Module 12 - SSL 33

SSL: The Blechenbacher Attack In SSL the encoded data always begins with the two bytes 00 and 02. The attacker constructs many artificial ciphertext blocks and sends them to the target. The target decrypts these blocks. As a result one of the following might happen. The resulting plaintext does not have the above mentioned encoding format. So the target generated an error or ignores the communication. 4/4/02 Module 12 - SSL 34

SSL: The Blechenbacher Attack continued The resulting plaintext will begin with 00 and 02, hence the target considers the decryption to be successful. The attacker observes the target reaction to each ciphertext block it sends, noting which block gets decrypted successfully (according to the target) and which does not. Over a period of time and with mathematical analysis the attacker might be able to decrypt one of the cipher blocks that was sent to the target during a legitimate communication. 4/4/02 Module 12 - SSL 35

SSL- Differences between V2 and V3 Version 3 supports more cryptographic functions in its cipher suite. The ClientHello message slightly varies in v2 and v3. 4/4/02 Module 12 - SSL 36

TLS - Transport Layer Security TLS is very similar to SSLv3. TLS makes use of HMAC algorithm defined as: HMAC K = H[(K + xor opad) H[(K + xor ipad) M]] H = embedded hash function (for TLS, either MD5 or SHA-1) M = message input to HMAC K + = secret key padded with zeros to block length of hash code Ipad = 00110110 (36 in hexadecimal) repeated 64 times (512 bits) Opad = 01011100 (5C in hexadecimal) repeated 64 times (512 bits) 4/4/02 Module 12 - SSL 37

SSLv3 and TLS Differences SSLv3 uses the same algorithm, except that the padding bytes are concatenated with the secret key rather than being XORed with the secret key padded to the block length. The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field TLSCompressed.version, which is the version of the protocol being employed. TLS supports all of the alert codes defined in SSLv3 with the exception of no_certificate. 4/4/02 Module 12 - SSL 38

SSLv3 and TLS Differences (Contd.) Key Exchange: TLS supports all of the key exchange techniques of SSLv3 with the exception of Fortezza. Symmetric Encryption Algorithms: TLS includes all of the symmetric encryption algorithms found in SSLv3, with the exception of Fortezza. 4/4/02 Module 12 - SSL 39

SSLv3 and TLS Differences (Contd.) In SSL, the padding added prior to encryption of user data is the minimum amount required so that the total size of the data to be encrypted is a multiple of the cipher's block length. In TLS, the padding can be any amount that results in a total that is a multiple of the cipher's block length, up to a maximum of 255 bytes. 4/4/02 Module 12 - SSL 40

Further Reading SSL 3.0 spec at http://home.netscape.com/eng/ssl3/ssltoc.html Book: SSL and TLS Essentials by Stephen Thomas John Wiley. RFC on TLS at http://www.ietf.org/rfc/rfc2246.txt Article: Analysis of SSL Security at http://www.counterpane.com/ssl.html 4/4/02 Module 12 - SSL 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback