Transport Layer Security

Similar documents
Security Protocols and Infrastructures. Winter Term 2010/2011

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Security Protocols and Infrastructures. Winter Term 2015/2016

Universität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2

CSCE 715: Network Systems Security

Security Protocols and Infrastructures

Chapter 4: Securing TCP connections

CS 356 Internet Security Protocols. Fall 2013

Transport Layer Security

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Transport Level Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

MTAT Applied Cryptography

Secure Socket Layer. Security Threat Classifications

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Internet security and privacy

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

E-commerce security: SSL/TLS, SET and others. 4.1

Chapter 8 Web Security

Chapter 12 Security Protocols of the Transport Layer

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

MTAT Applied Cryptography

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

SSL Time-Diagram. Second Variant: Generation of an Ephemeral Diffie-Hellman Key

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Auth. Key Exchange. Dan Boneh

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Chapter 5. Transport Level Security

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Cryptography (Overview)

TRANSPORT-LEVEL SECURITY

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Outline. Transport Layer Security (TLS) 1.0. T Cryptosystems. Transport Layer Security (TLS) 1.0 basics

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Coming of Age: A Longitudinal Study of TLS Deployment

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Performance Implications of Security Protocols

Solving HTTP Problems With Code and Protocols NATASHA ROONEY

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 5

TLS 1.2 Protocol Execution Transcript

Securing IoT applications with Mbed TLS Hannes Tschofenig

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Overview. SSL Cryptography Overview CHAPTER 1

Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography

COSC4377. Chapter 8 roadmap

Overview of TLS v1.3 What s new, what s removed and what s changed?

Internet security and privacy

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Transport Layer Security

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Encryption. INST 346, Section 0201 April 3, 2018

Attacks on re-keying and renegotiation in Key Exchange Protocols

ON THE SECURITY OF TLS RENEGOTIATION

CSCE 715: Network Systems Security

SSL/TLS. Pehr Söderman Natsak08/DD2495

Network Working Group Requests for Commments: 2716 Category: Experimental October 1999

Requirements from the. Functional Package for Transport Layer Security (TLS)

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Sensitive Information in a Wired World

From wired internet to ubiquitous wireless internet

The Secure Shell (SSH) Protocol

Was ist neu bei TLS 1.3?

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Network Encryption 3 4/20/17

Information Security CS 526

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

TLS Extensions Project IMT Network Security Spring 2004

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Computer Networks II

TLS1.2 IS DEAD BE READY FOR TLS1.3

Securely Deploying TLS 1.3. September 2017

Kurose & Ross, Chapters (5 th ed.)

Datasäkerhetsmetoder föreläsning 7

Lecture 10: Communications Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

CS Computer Networks 1: Authentication

AIR FORCE INSTITUTE OF TECHNOLOGY

Understanding Traffic Decryption

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Summary on Crypto Primitives and Protocols

Security analysis of DTLS 1.2 implementations

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Lecture: Transport Layer Security (secure Socket Layer)

Chapter 6/8. IP Security

An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

8. Network Layer Contents

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Transcription:

Cryptography and Security in Communication Networks Transport Layer Security ETTI - Master - Advanced Wireless Telecommunications

Secure channels Secure data delivery on insecure networks Create a secure channel using a protocol that can provide the required security services. Internet Alice Trudy Bob Typical protocol components Authenticated key-establishment protocol provides a master shared secret for the current session. Operational keys for SKE and MAC are derived using a PRF from the master secret. Message authentication with MAC & appropriate encapsulation. Message encryption using SKE & appropriate encapsulation. Other mechanisms, e.g., for stream integrity, anti-replay. Octavian Catrina 2

Secure channels and network layers 1/3 At what layer should we create a secure channel? Depends on the problem we have to solve! Security requirements for DL, NL, TL and applications. E.g., protect all packets exchanged over WLAN; authenticate IP routing info advertisements; authenticate DNS records; provide authentication and integrity and/or confidentiality for interactive application sessions (e.g., HTTP) or messages (e.g., e-mail). WLAN LAN WAN LAN Host Access Point LAN switch Router WAN switch WAN switch Router LAN switch Host Appl. Appl. TL TL NL - - NL - - NL - NL DL DL DL DL DL DL DL DL DL PHY PHY PHY PHY PHY PHY PHY PHY PHY Octavian Catrina 3

Secure channels & network layers 2/3 Security at Data-link layer Advantages: Covers all traffic on a link (upper layer protocols and apps). Best way to protect all traffic on wireless (radio) channels. Best way to control network access, at edge. Transparent for upper layer protocols & apps. Hardware implementation (NIC). Main limitations: Per-hop security, not end-to-end. Security at Network layer (IP) Advantages: Covers all IP traffic end-to-end (assuming IP end-to-end). Transparent for upper layer protocols & apps. Hardware implementation possible. Main limitations: Low flexibility & application control (same security for all). Datagram security only. No data stream integrity. Octavian Catrina 4

Secure channels & network layers 3/3 Security at Transport/Session layer Advantages: End-to-end data stream security. Applications can control what security services are used. Limitations: Not fully transparent for users and applications. Difficult to ensure appropriate security for all applications run by employees on their PCs. No protection for lower layer traffic. No hardware implementation. Security at application level Advantages: Security services fully adapted to application needs. Disadvantages: We have to design & implement security per application (much harder for secure protocols). Octavian Catrina 5

Authenticated encryption Authenticated encryption Combination of encryption and message authentication. Never use encryption without MAC. If confidentiality is not necessary, use MAC alone. Composition of MAC and encryption schemes Variant Protected message Example Provable security Encrypt then MAC (ETM) MAC then Encrypt (MTE) MAC and Encrypt (MAE) E K1 (m) MAC K2 (E K1 (m)) IPsec Secure composition independent of schemes. Recommended method. E K1 (m MAC K2 (m)) TLS Secure composition for certain (usual) combinations of schemes. E K1 (m) MAC K2 (m) SSH Not provable as general composition method (secure in particular cases). Dedicated authenticated-encryption schemes More efficient than composition techniques. Examples: CCM (Counter with CBC-MAC Mode), NIST SP800-38C. E.g., IEEE 802.11i. GCM (Galois/Counter Mode), NIST SP800-38D. E.g., IEEE 802.1ae. Octavian Catrina 6

TLS (Transport Layer Security) protocol

TLS protocol TLS protocol Provides a secure communication channel on top a reliable transport protocol, usually TCP. Widely used by in Web browsers and servers (http over TLS: https://...). A.k.a. SSL: Secure Socket Layer. Security services HTTP FTP... TLS (a.k.a SSL) TCP Secure connection setup, including key exchange with server authentication and (optionally) client authentication. Authenticated encryption of application data (SE + MAC). Development and standardization Originally developed by Netscape; last version: SSL v3.0. Adopted by IETF as TLS 1.0, specified in RFC 2246. Current spec.: TLS 1.2, RFC 5246, 2008 (and other RFCs). Octavian Catrina 8 IP

TLS sessions and connections TLS session Association between a client and a server that defines a set of cryptographic security parameters. These parameters can be shared among multiple TLS connections. Session setup provides: Negotiation of cryptographic mechanisms ("cipher-suites"). Server and client authentication. Exchange of basic key material. TLS connection Transient connection associated with a TLS session, offering reliable and secure data transport: Data integrity (authentication) using HMAC (MD5 or SHA-1). Data confidentiality using an encryption scheme based on a block cipher (e.g., AES, 3DES), RC4 stream cipher, etc. Fast connection setup: new keys computed using the session's (pre-)master secret and connection nonces. Octavian Catrina 9

TLS / SSL TLS architecture HTTP, FTP, SMTP, POP3, IMAP4, LDAP, etc. Handshake Protocol Change Cipher Protocol Alert Protocol Record Protocol TCP Record protocol Encapsulates user data, providing data authentication and confidentiality. Encapsulates TLS control messages: Handshake, Change Cipher, Alert. Handshake protocol Session and connection setup. Change Cipher protocol Single message: starting to use new cipher-suite & keys agreed-upon. Alert protocol Error notifications. Octavian Catrina 10

TLS Record protocol 1/2 Data processing A user data stream is processed as a sequence of data blocks (fragments) with length up to (about) 2 14 octets. A sequence number is assigned to each fragment. Data processing (outline): Application data Fragment 1 Fragment 2... Fragment n Compress MAC Encrypt Processing per block: Compress (optional). Compute MAC, append MAC and padding. Encrypt all this using a SE scheme. Octavian Catrina 11

Records TLS Record protocol 2/2 TLS must determine the sequence of encrypted blocks in the octet stream delivered by TCP, in order to process received data (decryption & MAC). Same problem for control messages. The TLS record format provides the payload encapsulation necessary for this purpose. Record format: Data record processing (details): Record header Record type Protocol version Record length seq_num record header record data (compressed) MAC MAC key Record payload record header record data (compressed) MAC padding User data (compression, MAC, encryption) or TLS control message(s) record header Encrypt Init. Value (IV) Encryption key encrypted & integrity-protected data Octavian Catrina 12

TLS Handshake Protocol 1/2 Session setup Cipher-suite negotiation. Key exchange with server and client authentication. Client Example (simplified) Negotiate cipher-suite, exchange random nonces. Server Cipher-suites I suggest. My random nonce R C Session-id. Cipher-suite I choose. My random nonce R S. Certificate for my public-key (PK S ) Choose cipher-suite. Choose pre-master secret S, encrypt it, and send it to server. Compute master secret K = PRF(S, R C, R S ), and derive from K, R C, R S the keys for MAC and encryption. Key exchange. In this example, key transport using RSA encryption and (implicit) server authentication. Our secret E PKS (S). Handshake integrity check (MAC(msgs)) Handshake integrity (MAC(msgs)), proof I know the keys) Data, encrypted and integrity protected with keys derived from K Decrypt pre-master secret S. Compute master secret K = PRF(S, R C, R S ), and derive from K, R C, R S the keys for MAC & encryption. Octavian Catrina 13

TLS Handshake Protocol 2/2 Session resumption Handshake that allows to reuse authentication and shared secrets across multiple connections, perform fast re-keying of the current connection (new session secrets using fresh nonces), and to re-negotiate the cipher-suite. Example: Re-keying a connection (simplified) Client Client and server have set up a session identified by session-id and share the session's master key K. Server Session-id. Cipher. New random nonce R' C Derive from K, R' C, R' S new keys for MAC and encryption. Session-id. Cipher. New nonce R' S. Integrity check (MAC(msgs)) Integrity check (MAC(msgs)) Derive from K, R' C, R' S new keys for MAC and encryption. Data, encrypted and integrity protected with keys derived from K Octavian Catrina 14

Key exchange methods Ephemeral Diffie-Hellman DHE_RSA, ECDHE_RSA, DHE_DSS, ECDHE_ECDSA. Best method. DH key exchange with one-time DH secrets. Server and (optionally) client authentication using RSA or DSS signatures. Variants for integer groups and elliptic curve groups. RSA encryption The pre-master secret is encrypted with the server s public RSA key. This also authenticates the server. The server can request client authentication using RSA or DSS signature. Pre-shared keys Introduced in RFC 4279, Dec. 2005. Others Fixed Diffie-Hellman (DH_RSA, DH_DSS). The server has a fixed DH key-pair (with certificate). This also authenticates the server. The server can request client authentication using DH key or using RSA or DSS signature. Kerberos,. Octavian Catrina 15

TLS Pseudo-Random Function (PRF) TLS 1.2 (RFC 5246) defines a PRF based on HMAC with the hash function SHA-256. This PRF takes as input a secret, a seed, and an identifying label and produces an output of arbitrary length. Data expansion function: P(key, seed) = HMAC( key, A(1) seed ) HMAC( key, A(2) seed ) HMAC( key, A(3) seed )... where " " denotes concatenation, A(0) = seed A(i) = HMAC( key, A(i-1) ) PRF: PRF(key, label, seed) = P(key, label seed) where "label" is an ASCII string. key seed key seed In HMAC Out In HMAC Out A(1) key seed key 256 bits = 32 bytes In HMAC Out In HMAC Out A(2) key seed key In HMAC Out In HMAC Out A(3)...... - The data expansion function P() is iterated until the required quantity of data is obtained. (e.g., for 80 bytes, P() is iterated 3 times, creating 332 = 96 bytes of data; the last 16 bytes are discarded). - E.g., TLS uses this PRF to generate from a master secret (as key) and random nonces (as seed) the data authentication and data encryption keys for each direction of a TLS connection. Octavian Catrina 16

TLS session setup: Overview Client Optional message, depending on AKE variant. Server Negotiate cipher suite, exchange connection nonces. Key exchange (KE) with server and optionally client authentication. Several KE methods. Client and server compute a master secret and then derive data encryption and data authentication keys for each direction. ChangeCipherSpec: Client commits agreed cipher-suite and keys. Next messages are encrypted and authenticated. ClientFinished: MAC with master secret authenticates handshake, confirms key knowledge, etc. ClientHello (suggested cipher-suites, client nonce) ServerHello (chosen cipher-suite, server nonce, session-id) ClientCertificate (client certificate) ClientKeyExchange (key material) ServerCertificate (server certificate) ServerKeyExchange (key material) CertificateRequest (what client certificate) CertificateVerify (proof I know my private key) ChangeCipherSpec ClientFinished(MAC(handshake messages)) ChangeCipherSpec ServerFinished(MAC(handshake messages)) Done. Can start secure data transfer. SeverKeyExchange: Optional, e.g., used with DH variant of AKE. CertificateRequest: Sent if the server wants the client to authenticate itself (with digital signature). ClientCertificate: Sent if the server asks for client authentication. CertificateVerify: Client authenticator (based on digital signature). ChangeCipherSpec: Server commits agreed ciphersuite and keys. Next messages are encrypted and authenticated. ClientFinished: MAC with master secret authenticates handshake, confirms key knowledge, etc. Octavian Catrina 17

DH+DSS KE with server authentication 1/2 ClientHello (M1) Version: 3.3 (TLS 1.2) Client ClientNonce: Random[28] + GMT_seconds[4] SuggestedCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,... DSS/DSA = Digital Signature Server Standard/Algorithm Server actions after receiving M1: KS SRV = Server's DSS private (signing) key. KV SRV = Server's DSS public (verification) key. - Select cipher suite. Select the DH domain parameters dh_p, dh_g. - Generate the server's DH parameters: dh_xs and dh_ys = (dh_g) dh_xs mod dh_p. - Construct and send next messages... Client actions after receiving M2: - Validate the server s certificate chain. - Verify signature in M2c, and store server's DH public parameters: dh_p, dh_g, dh_ys. - Generate the client's DH parameters: dh_xc and dh_yc = (dh_g) dh_xc mod dh_p. - Generate pre_master_secret = (dh_ys) dh_xc mod dh_p. - Generate secrets from pre_master_secret: master_secret = PRF(pre_master_secret, "master secret" ClientNonce ServerNonce) key_block = PRF(master_secret, "key expansion" ClientNonce ServerNonce) Take successive bytes from key_block for: client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - Apply client-write parameters to write M3b and all subsequent messages (encrypted and authenticated). ServerHello (M2a) Version 3.3 (TLS 1.2) ServerNonce: Random[28] + GMT_seconds[4] SessionID: 0x945D6F22 ChosenCipherSuite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA ServerCertificateChain (M2b) Subject: AltName=www.some.com Public Key:... (= DSS KV SRV ) Issuer: DN=Verisign... ServerKeyExchange (M2c) ServerDHParams: dh_p, dh_g, dh_ys DSS_sign(KS SRV, ClientNonce ServerNonce ServerDHParams) ServerHelloDone (M2d) (Client can proceed with next handshake phase) Octavian Catrina 18

DH+DSS KE with server authentication 2/2 Client ClientKeyExchange (M3a) ClientDiffieHellmanPublic: dh_yc ChangeCipherSpec (M3b) (Further traffic starting with next message will be protected under agreed cipher suite and keys) ClientFinished (M3c) PRF(master_secret, "client finished", Hash(handshake_msgs)) where handshake_msgs = M1 M2 M3a Server Server actions after receiving M3: - Generate pre_master_secret = (dh_yc) dh_xs mod dh_p. - Generate secrets from pre_master_secret exactly like the client: a master_secret and then client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - Apply client-write parameters to read M3c and all subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M3c (authenticates all handshake messages, confirms that the client knows the keys, etc.). - Apply server-write parameters to write M4b and all subsequent messages (encrypted and authenticated). Client actions after receiving M4: - Apply server-write parameters to read M4b and all subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M4b (authenticates handshake messages, confirms that server knows the keys, etc.). ChangeCipherSpec (M4a) (Further traffic starting with next message will be protected under agreed cipher suite and keys) ServerFinished (M4b) PRF(master_secret, "server finished", Hash(handshake-msgs)) where handshake_msgs = M1 M2 M3a M3c The Hash value in ClientFinished and ServerFinished is computed on the concatenation of previous TLS Handshake protocol messages (without ChangeCipherSpec, alerts, etc.). Octavian Catrina 19

RSA KE with mutual authentication 1/2 Client Server ClientHello (M1) Version: 3.3 (TLS 1.2) ClientNonce: Random[28] + GMT_seconds[4] SuggestedCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA, Client actions after receiving M2: - Validate the server s certificate chain. - Generate random pre_master_secret (48 bytes). - Generate secrets from pre_master_secret: - Compute master_secret = PRF(pre_master_secret, "master secret" ClientNonce ServerNonce) key_block = PRF(master_secret, "key expansion" ClientNonce ServerNonce) - Take successive bytes from key_block for: client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - By sending the (optional) CertificateRequest the server asks the client to authenticate using a digital signature. - Construct and send next messages... KE SRV = Server's RSA public (encryption) key. KV CLI = Client's RSA public (verification) key. KS CLI = Client's RSA private (signing) key. Server actions after receiving M1: - Select cipher suite. - Construct and send next messages... ServerHello (M2a) Version 3.3 (TLS 1.2) ServerNonce: Random[28] + GMT_seconds[4] SessionID: 0x35DD84F0 ChosenCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA256 ServerCertificateChain (M2b) Subject: DN=BigBankHomeBkgDiv Public Key:... (RSA KE SRV ) Issuer: DN=BigBank... Subject: DN=BigBank Public Key: 0xD9783BB2208F3... Issuer: DN=Verisign... CertificateRequest (M2c) Type: RSA_signing AcceptableCAs: BigBankHomeBkgDiv ServerHelloDone (M2d) (Client can proceed with next handshake phase) Octavian Catrina 20

RSA KE with mutual authentication 2/2 Client Server ClientCertificateChain (M3a) Subject: DN = Alice Public Key:... (RSA KV CLI ) Issuer: DN = BigBankHomeBkgDiv... ClientKeyExchange (M3b) RSA_encrypt(KE SRV, pre_master_secret) CertificateVerify (M3c) RSA_sign(KS CLI, handshake_msgs) where handshake_msgs = M1 M2 M3a M3b ChangeCipherSpec (M3d) (Further traffic starting with next message will be protected using agreed cipher suite and keys) ClientFinished (M3e) PRF(master_secret, "client finished", Hash(handshake_msgs)) where handshake_msgs = M1 M2 M3a M3b M3c Client actions after receiving M4: - Apply server-write parameters to read M4b and all subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M4b (authenticates handshake messages, confirms that server knows the keys, implicitly authenticates the server, etc.). Server actions after receiving M3: - Authenticate the client: Verify the client's certificate chain and the client's signature in M3c. - Decrypt pre_master_secret from M3b. - Generate secrets from pre_master_secret exactly like the client: a master_secret and client-write-mac, server-write-mac, client-write-key, server-write-key, client-write-iv, server-write-iv - Apply client-write parameters to read M3e and all the subsequent messages (encrypted and authenticated). - Verify PRF (MAC) in M3e (authenticates handshake messages, confirms that client knows they keys, etc.). - Construct and send last messages... ChangeCipherSpec (M4a) (Further traffic starting with next message will be protected using agreed cipher suite and keys) ServerFinished (M4b) PRF(master_secret, "server finished", Hash(handshake_msgs)) where handshake_msgs = M1 M2 M3a M3b M3c M3e Octavian Catrina 21

HTTP+TLS and Password authentication Example: Access to an on-line digital library, restricted to subscribers. (1) TLS connection setup Server authentication and confidentiality (2) User authentication User-id and Password transferred using the secured connection Octavian Catrina 22

Resuming a session Client E.g., new TLS connection, for other op with same server after setting up a TLS session. Server ClientHello (M1) Version 3.3 ClientNonce: Random[28] + GMT_seconds[4] SuggestedCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA SessionID: 0x945D6F22 (previously established) ChangeCipherSpec (M3a) Server and client update key_block using the session's master_secret and the new nonces. (Further traffic starting with next message will be protected under agreed cipher suite and keys) ServerHello (M2a) Version 3.3 ServerNonce: Random[28] + GMT_seconds[4] SessionID: 0x945D6F22 ChosenCipherSuite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA ChangeCipherSpec (M2b) (Further traffic starting with next message will be protected under agreed cipher suite and keys) ServerFinished (M2c) PRF(master_secret, "server finished, Hash(handshake_msgs)) where handshake_msgs = M1 M2a ClientFinished (M3b) PRF(master_secret, "client finished, Hash(handshake_msgs)) where handshake_msgs = M1 M2a M2c Octavian Catrina 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback